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22 DEPLOYING 
WINDOWS VISTA 


Microsoft simplifies Vista deployment by distributing only one Vista install 
image and letting you easily add updates and features to produce custom 
images. 
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38 Blocking Web Sites in ISA Server 

Perform content filtering with ISA on a shoestring budget—all it takes is 
a blacklist service subscription, a little rule configuration, and a couple 
of scripts. 
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TRICKS & TRAPS 

43 Ask the Experts 

Our experts answer your questions about securing company data that might be 
at risk because of lost or stolen mobile devices and about a problem that might 
arise when trying to use ADSI Edit to delete an object. 
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45 Reader to Reader 

A reader shares a batch file he wrote to deploy the Dell Client Configuration 
Utility (DCCU). 

REQUIRED READING: BACKUP AND RECOVERY 

47 Backup and Recovery Basics 

Every business needs a comprehensive data protection plan. Here's how to 
begin creating one for your company. 
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28 Keep an Eye on Server Performance 

Manage server performance with Microsoft's SPA utility—it collects data from 
multiple servers, generates reports and email notifications, and helps you 
establish a performance baseline. 
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34 Running Legacy Applications as a 
Least-Privileged User 

Use the Windows ACT to overcome problems related to limited user accounts 
and legacy application compatibility. 
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51 Windows SharePoint Services 3.0 
Out of the Box 

Walk through site setup and configuration to understand new features and 
functionality. 
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56 Getting to Know Office 2007 

Learn about key features in Microsoft Office 2007 System, such as Open XML 
format files, the Ribbon UI, a new way to synchronize installations, and how to 
convert between Office 2007 and older Office file types. 
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Karen Forster 

IT Pro Perspective 

The Value of Vista, Office, and 
Exchange 

Microsoft is touting "people-ready 
business" as a primary reason 
to upgrade to Vista, Office 2007, 
and Exchange 2007. Are you 
convinced? InstantDoc ID 94455 
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Windows Vista Express Upgrade 

If you purchased a new Windows 
XP PC during the holidays, you 
probably qualify for a low-cost 
upgrade to Vista. InstantDoc ID 94218 
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Getting a Jump on Vista 

Michael Winslett and ferry Meeker of AMD's IT 
organization share their insights about implementing 
Windows Vista and how the new OS is helping AMD 
lower IT costs. 
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12 New & Improved 

Check out the latest products to 
hit the marketplace. 

PRODUCT SPOTLIGHT 
Neon Software's Cybergauge 7.0 
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16 Industry Briefings 

Our editors share insights from 
their conversations with Sana 
Security, Embotics Corporation, 
and iQstor Networks. 
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Check, out 
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and read about 
the products 
IT pros love. 
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17 Paul's Picks 

Paul takes a look at the newest 
release of Windows Vista and the 
Microsoft Office 2007 System. 
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17 Asigra 
Televaulting 6.2 

Remote backup is an attractive 
option with the compression 
available from Asigra Tele¬ 
vaulting 6.2. 

InstantDoc I D 94096 

—JOEL B. BARKER 

REVIEW 

18 Activeworx 
Security Center 3.5 

CrossTec Activeworx Security 
Center 3.5 monitors security- 
related events for a variety of 
devices from one console. 
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18 Document 
Control 6.0 

Liquid Machines' document 
control system secures sensitive 
documentation that needs to 
meet compliance and security 
requirements. 
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64 What’s Hot 

Readers highlight favorite products: Gabriel Topala's System Information 
for Windows, Dominik Reichl's KeePass Password Safe, Barracuda 
Networks' Barracuda Spam Firewall 300. 
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BUYER’S GUIDE 

19 Antispam Solutions 
for Business 

If your business wants to 
upgrade to the next generation 
of spam-control products, here's 
information to help you make the 
best choice. 
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I It’s Hard to Warm Up 

All work and no play can lead 
to a cold, impersonal work 
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that will help your team enjoy 
coming to work. InstantDoc ID 94033 



Mark Minasi 

Windows Power 
Tools 

SC’s Dependency Problems 

Learn how to use dependencies 
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specifically control a service's load 
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Email Discovery and Compliance 

You know you need to manage your email 
data, but how do you do it? What steps 
are you taking? What additional measures 
should you enact? What shouldn’t you do? 
Get answers to these questions from this 
free eBook, and get control of your vital 
messaging data. 

http://www.windowsitpro.com/go/ebooks/ 

ilumin/discovery 


“Leveraging Centralized Event Log 
Monitoring” 

Event Log (for Windows systems) and Syslog (for UNIX/Linux systems) contain a 
wealth of information. In this free on-demand Web seminar, you’ll learn about the 
processes, challenges, and benefits of consolidating events on a central server. Plus, 
you’ll identify the 50 critical events that your enterprise should be monitoring. 

http://www.windowsitpro.com/go/seminars/prism/eventlogdec 


Top 5 Reasons for Storage Consolidation 

Do you know where your information is? Is it protected? Backed-up? Download 
this free podcast to learn about the five most important reasons to consider stor¬ 
age consolidation. 


“Sticking with Windows XP 
in a Windows Vista World” 

This month’s cover story focuses on 
Windows Vista, but what if you’re not 
quite ready to upgrade? In this SuperSite 
Technology Showcase, Paul explains how 
Windows XP users can still survive in 
the wake of Vista’s release. Discover XP 
replacements for popular Vista applica¬ 
tions and features. 

http://www.winsupersite.com/ 

showcase/winvista xp apps.asp 

Don’t De Just a Pro, Be a Pro VIP 

As a Pro VIP member, you’ll have access 
to the same great technical articles that 
have been the hallmark of Windows IT 
Security, Windows Scripting Solutions, and 
Exchange & Outlook Administrator. Mem¬ 
bership benefits include: weekly email 
messages or RSS notifications linking 
to a new online article; a monthly email 
newsletter that includes commentary 
from the editor and a printable version of 
recent online articles; access to the Pro 
VIP Web sites and members-only forums; 
and access to the Windows IT Security, 
Windows Scripting Solutions, and Exchange 
& Outlook Administrator article archives. 
Become a VIP today! 

http://www.securityprovip.com 
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Your Savvy Assistant 

Let your new assistant gather information for you and pull together resources you might not be aware of. Check out this 
Web-exclusive column, which points you to the hottest articles in the systems management, messaging, SharePoint, Office, 
networking and hardware, security, and SQL areas. InstantDoc ID 94310 
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A re you an Oracle professional who has cross-platform responsibilities or do you need to transfer your skill set to SQL 
Server? On January 30,31, and February I, SQL Server/Oracle experts Andrew Sisson from Scalability Experts and Doug¬ 
las McDowell from Solid Quality Learning will teach key concepts about SQL Server 2005 in enterprise database computing 
environments. The session will cover how to deploy SQL Server’s business intelligence capabilities on Oracle, proof points 
demonstrating that SQL Server is enterprise-ready, and how to successfully deploy Oracle on the Windows platform. 
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Our management products 
support all platforms from 
Windows NT 3.51 to the latest 
Microsoft Longhorn beta builds. 


• Makes User Account Control 
deployment easier 

• Scheduled randomization of local 
administrator account credentials 

• Self-service domain user password 
reset and recovery (Web and Windows) 

• Email notification of expiring domain 
accounts and unused accounts 


Lieberman Software has 
the most Windows Vista™ 
certified applications on 
the market today* 


Windows Vista configuration, security 
and vulnerability analysis and remediation 

Extensive Windows Vista system reporting 
and management capabilities 

Mature industry-standard products deployed 
worldwide for over 10 years 
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Searching for Microsoft Vista Management Products? 
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SOLO CERTIFIED 


CERTIFIED FOR 

Windows 

Vista 1 * 


P&tv&i 


Our tools are already widely used by most 
Microsoft Global Accounts 

No risk, try-before-you-buy policy 
on all of our products 


Weeks of work cut down to seconds 


The Next Step? 

Visit us today at www.liebsoft.comA/istaPilot 
to discuss the wide range of Windows Vista 
management products we offer and to arrange 
for a free pilot installation of our products at 
your site. 


LIEBERMANSGFTWARE 


Toll free: 1-800-829-6263 • Direct: 3 10-550-8575 
www.liebsoft.com • sales@liebsoft.com 


©2006 Lieberman Software Corporation. Windows Vista and the Windows Vista 
Start button are trademarks or registered trademarks of Microsoft Corporation in 
the United States and/or other countries. All other trademarks are the property of 
their respective owners. *As of November 15, 2006 Lieberman Software Corporation 
had more Windows Vista certified software applications on the market than any other 
software company. 











IT Pro Perspective 


The Value of Vista, Office, and Exchange 

Is “People-Readiness” a convincing business reason to upgrade? 


U "T^keople-ready business" was the primary catch- 
Lr phrase at the November 30, 2007, "Business 
-L Value" launch of Microsoft Windows Vista, 
Office 2007, and Exchange 2007. Office General Manager 
Kirk Koenigsbauer said, "It's the synergy among Microsoft 
Office, Windows Vista, and Microsoft Exchange Server. 
Together, they deliver the core platform for a people-ready 
business—one that puts an organization's employees at the 
center of driving business outcomes and success." 

Although I can't argue with the reality that employees 
drive success, I have to wonder how effectively that slo¬ 
gan will convince IT to hurry and upgrade. In a letter to 
Microsoft customers, Steve Ballmer said, "The joint launch 
of Windows Vista, the 2007 Microsoft Office system, and 
Microsoft Exchange Server 2007 will open the door to an 
era of even greater productivity and innovation." But I know 
that the IT department in the company I work for won't 
even consider any of these products any time soon—espe¬ 
cially not based on Microsoft's message that end users need 
them to be more innovative and productive. 

A recent nonscientific poll of our readers indicates 
that IT is not rushing to deploy Vista: 59 percent of the 350 
respondents have no plans to upgrade; 16 percent plan to 
deploy within 18 months; 11 percent within 12 months, and 
13 percent within 6 months. So, as Ballmer asked, "Why 
should you risk disrupting your business to take advan¬ 
tage of these new features and capabilities?" His answer: 
"Because business has changed and new tools are required. 
No one questions the competitive advantages that come 
when we can communicate and collaborate instantly with 
colleagues and customers around the world." 

Maybe I'm cynical, but that reason sounds a little too 
squishy for me. Lots of businesses are getting along just 
fine with the old tools, thank you very much. But are there 
factors that would be compelling enough to make you eager 
to upgrade? 


ness Value of Windows Vista," which was based on a study 
Microsoft commissioned from IDC (http://www.microsoft 
.com/presspass/events/newday/docs/IDCWP.pdf). This 
study examined companies participating in the Vista Tech¬ 
nical Adoption Program (TAP) and found that Vista saves 
IT and users time and money. Specifically, the annual IT 
labor cost for Vista is $470; for Windows XP Service Pack 
2 (XP SP2), it's $507; for XP, $536; and for Windows 2000 
(Win2K) client, $593. The annual end-user labor cost for 
Vista is $2,281; for XP SP2, $2421; for XP, $2435; and for 
Win2K, $2462. 

According to the white paper, the savings Vista affords 
come from four major areas: 

• Lower service desk costs, which the study attributes to 
Vista's improved reliability, security, and self-healing 
abilities. 

• Lower desktop engineering and support costs, which 
the white paper defines as "planning, project manage¬ 
ment, PC rollouts, security threat evaluation, applica¬ 
tion and patch deployments and image management." 

• Higher end-user productivity, which purportedly 
results from Vista's improved desktop search and col¬ 
laboration capabilities. 

The white paper concludes, "Our guidance for organiza¬ 
tions that want to maximize their return on investment of 
Windows Vista is that they should use the operating system 
as a catalyst for improving overall infrastructure optimiza¬ 
tion. By using this approach, the organization can receive 
both the core benefits and the potentially much larger IT 
process improvement benefits simultaneously." That part 
about "improving overall infrastructure optimization" 
makes me wonder whether IDC is trying to shore up the 
argument that Vista inherently saves time and money- 
after all, this study was paid for by Microsoft. 
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Don’t Say “Time and Money” 

A marketing expert once warned me never to tell IT pros 
that something would save them time or money—IT pros 
know from experience such claims are rarely true. However, 
IT is under constant pressure to add value to the bottom 
line while reducing costs—i.e., to save time and money. 

So maybe the "people-ready business" slogan is just 
a way for Microsoft to avoid blatantly claiming that Vista, 
Office 2007, and Exchange 2007 will save you time and 
money. From that perspective, I was interested to see 
Microsoft pointing to a white paper, "Analysis of the Busi¬ 


Are You Convinced? 

I'm a tech freak, and I want the latest and greatest of every¬ 
thing the minute it's available. So I'm all over Vista, Office 
2007, and Exchange 2007. But out there in the trenches, 
you still have your day-to-day job to do. Are Microsoft's 
slogans and claims about "people-ready" business value 
strong enough to convince you that your organization 
needs these new products sooner rather than later? Please 
let me know what factors are important to your plans (or 
lack of plans) to upgrade. Tell me how this publication can 
help you. ^ 
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Every Layer of Network Security Counts 


Contact us today and find out more about 

the I DC-ranked #1 filtering appliance. 


tPrism is the dedicated Internet filtering 
solution that helps financial institutions secure 
sensitive customer data, protect network 
assels and fulfill compliance requirements 
whether internal or regulatory Only iPrism, 
the I DC-ranked #1 Web filtering appliance 
delivers a secure stand-alone filtering solution 
with comprehensive, built-in reporting. Secure 
your organization's assets from URL IM and 
P2P threats at the perimeter 




Get more Information ora Quick Quote: 
www.stbernard .com/witp 

1.800.782.3762 

©2007 St, Bernard Software Inc. All rights reserved. The St Bernard Software logo and iPrsm are trademarks 
of St. Bernard Software, Inc. IPrism is a registered t'ademark of St. Bernard Software, Inc. 









































Save 50% over your current product! 


Upgrade to Next-Generation 

hange. 


SUNBELT MESSAGING 


Meet Sunbelt Messaging Ninja— 

The new all-in-one, best-of-breed, 
third-generation messaging 
security solution: Ninja is a plug-in 
framework that integrates best-of-breed antispam, antivirus 
and SMART attachment filtering on your Exchange 
server. Much easier to manage: Ninja was 
designed by admins for admins. Its MMC interface is a 

breeze so you can get 





up and running in 
minutes vs. hours. 

Better multi-engine 
spam detection: 

Ninja’s spam filtering 
decimates junk mail with both Cloudmark (which includes anti¬ 
phishing) and Sunbelt’s own heuristics-based 
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iHateSpam engines. And, of course, it also 
supports RBLs and SPF. Integrated multi- 
engine antivirus: Ninja combines the 
power of multiple high-quality AV engines. 
Great end-user control: The policy-based plug-in 

architecture allows you powerful, granular control. You 
can finally rule with an iron fist. SMART attachment 
filtering: Ninja features the first flexible policy-based 
attachment filter that isn’t fooled by extensions. It looks 
inside files to determine their true identity. Your policies 
decide what happens to all attachments. 


Eval a t wwiv.sunbelt-software. com/niniawinb. 



Sunbelt Software 


Email sales@sunbelt-software.com or call 888-688-8457 
for your competitive upgrade quote 


Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.sunbelt-software.com sales@sunbelt-software.com 

The competitive upgrade is based on 50% of Ninja list price. 

© 2006 Sunbelt Software. All rights reserved. Sunbelt Messaging Ninja and Suspicious Mail Attachment Removal Technology are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies. 
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Hip Social Software 

1 enjoyed reading Michael Otey's Top 
10: “Google Applications" (October 
2006, InstantDoc I D 92793) . I had 
never heard of the Firefox extension 
Gmail Space, but I tried it out and it 
works OK. I really wish that Google 
would bless Gmail Space because 
then I would suggest it to some of my 
power users who have bumped up 
against their quota for file services. 
The problem is that Gmail Space 
saves documents as email messages, 
so you are stuck with the 10MB limit 
per file. Also, I really think Microsoft 
would show a different side of itself 
(a hip “social software" side like 
Google and others) if it created a 
service whereby people would get 

a few gigabytes of space that could 
be mounted as a network drive from 
within a Windows desktop and that 
encrypted traffic back and forth. Of 
course, Microsoft would probably 
view such a service as a free lunch 
and wouldn't recognize the great PR 
it would generate. 

—Brian Gibson 

2 Views of 
Vista RC1 

I stumbled onto your Web site while 
searching for something and found 
my way to a review of Windows Vista 
Release Candidate 1 (RC1) by Paul 
Thurrott (http://www.winsupersite 
.com/reviews/winvista_rc l_02.asp). 

I had never read Windows IT Pro 
before, but I was curious as to why 
Mr. Thurrott was giving so much 
hate to the x64 version of Vista RC1. 

In one area of the article he says, 
“Applications like Microsoft Office 
work just fine on the x64 versions of 
Windows Vista, but almost nothing 
else does." I'm not sure how many 
applications he tried, but I'm run¬ 
ning Vista RC1 x64 build 5600 (the 
same version that was available when 
Paul wrote his review) and have all 
kinds of typical software that's run¬ 
ning great. Granted, a few essentials 
(such as device drivers that are still 
in beta) aren't compatible, but it's to 



be expected that developers who've 
been writing 32-bit drivers for the 
past 10 years would take a little lon¬ 
ger in a 64-bit environment. 

I've actually been pleasantly sur¬ 
prised with Vista RC1 because I'm 
one of the last people who'd install 
a beta or RC version on my main 
system. The 
only reason 
I went with 
the x64 ver¬ 
sion is because 
the x86 ver¬ 
sion sees only 
3.25GB of 
my 4GB total 
RAM. My setup 
includes an Intel 
975XBX mother¬ 
board with a Pen¬ 
tium D processor 
and 4GB of Corsair 
RAM. Some of 
the software I run includes Adobe 
Photoshop CS2 and Illustrator CS2, 
Visual Studio .NET, WinRAR, Tril- 
lian, and World of Warcraft (I was a 
little surprised that I had no prob¬ 
lems with this one). I noticed that 
RC2 of the x86 version of Vista came 
out recently—perhaps the x64 ver¬ 
sion will follow suit soon. 

—Charles Claunch 

I'm a network administrator for a 
small building and remodeling com¬ 
pany. I was so eager to try out Vista 
RC1 that I even maxed out the RAM 
on my laptop to run it in Microsoft 
Virtual Server. It's pretty—and that's 
about it. I don't see my company 
upgrading any time soon. I love 
the idea of better security and least 
privilege, but nearly all the conven¬ 
tions that I learned since Windows 
3.1 are just about gone. My users and 
I are going to be playing catch-up 
for years. If you want pretty you buy 
a Mac. If you want to work you buy 
Windows. I'm sick of the PC becom¬ 
ing more of a toy than a tool. Games 
are great, and I'm sure Vista will 
make them look incredible, but that 
doesn't help most of us. Microsoft 


has some great ideas with Vista. Fine, 
let's take those ideas, put Vista back 
on the shelf, and bring out Windows 
XP SP3 because some of us have 
work to do. 

—Joe Serrago 

TechNet Plus 
Suggestions 

After reading Karen 
Forster's IT Pro 
Perspective: “fust- 
In-Time or fust-Too- 
Much Information?" 
(October 2006, 
InstantDoc ID 
93454) , I have some 
comments to make 
about TechNet 
Plus. The new sub¬ 
scriber downloads 
are great, but now 
I don't really need the 
CD shipments. It would be nice if I 
could convert my subscription to a 
direct subscription to stop the CDs 
from coming. It would be even nicer 
to get a few months free to reflect the 
lower price. A way to recycle old CDs 
would also be nice. Finally, I would 
like to see an expanded number of 
newsgroups offered under the man¬ 
aged newsgroups. 

—Iwan Kinal 

My company uses TechNet CDs for 
disaster recovery: If we were to lose 
our building or if we couldn't access 
online resources quickly, we'd at least 
have the media to refer to. Another 
reason we keep the CDs is because 
we use older versions of Windows 
and Exchange. I've noticed that older 
support resources are often archived 
or taken offline in favor of newer 
articles. If you rely only on online 
support resources, you might lose 
access to the support you need most. 

I don't believe Microsoft will keep 
information on older systems online 
because it wants everyone to upgrade 
to the latest software. ^ 

—Vincent Rees 
InstantDoc ID 94462 



EDITOR’S 

NOTE 

Windows IT Pro welcomes 
feedback about the maga¬ 
zine. Send comments to 
letters@windowsitpro.com, 

and include your full name, 
email address, and daytime 
phone number. We edit all 
letters and replies for style, 
length, and clarity. 
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Network-wide PST file management 
can be a nightmare 



GF! Mai I Archiver for Exchange 

Email archiving solution for internal and external email 

GFI MailArchiver for Exchange is an easy-to-use corporate email archiving solution that enables you to archive all internal 
and external mail into one or multiple SQL databases or an NTFS formatted hard drive, heavily reducing reliance on PST files. Now 
you can provide users with easy, centralized access to past emails via a web-based search interface and the ability to quickly 
restore emails through a OneClick Restore process. GFI MailArchiver aids your company in fulfilling regulatory email storage 
requirements (such as the Sarbanes-Oxley Act). GFI MailArchiver leverages the journaling feature of Exchange Server 2000/2003, 
providing unparalleled scalability and reliability at a competitive cost. Use GFI MailArchiver to: 

• Archive all incoming and outgoing company email to multiple SQL databases or NTFS drives 

• Significantly reduce storage requirements for email by up to 80% 

• End PST hell by storing email in SQL format or an NTFS drive 

• Provide end-users with a single, web-based location in which to search all their past email 

• Advanced email search and 'Saved Search' capabilities 

• Allow users to restore archived emails through a OneClick Restore 

• Help comply with Sarbanes-Oxley, SEC and other regulations. 

Download your FREE trial version from www.gfi.com/mwp/ 

BGFi 



Email Archiving 


NETWORK SECURITY 
CONTENT SECURITY 
MESSAGING 


tel: +1 (919) 379 3397 | fax: +1 (919) 379 3402 | email: sales@gfiusa.com | url: www.gfi.com/mwp/ 






















Need to Know 


What You Need to Know About... 

Windows Vista Express Upgrade 


W ith Windows Vista finally shipping, custom¬ 
ers who want to migrate to the new OS have 
choices to make. Volume-license customers, 
of course, should have access to Vista Enterprise Edition 
by the time you read this article. New PCs with Vista prein¬ 
stalled and retail-boxed versions of the OS are due by late 
January. For those who want to purchase a PC immediately 
but don't want to be locked out of Vista, Microsoft and its 
hardware partners offer an Express Upgrade that might 
meet your needs. Here's what you need to know about the 
Windows Vista Express Upgrade. 


Migration Insurance 

Microsoft created the Express Upgrade in an effort to 
prevent PC sales from declining during the crucial 2006 
holiday selling season. But because the program runs 
through March 15, 2007, it also provides individuals and 
small-business customers with a measure of insurance that 
they can migrate their new PCs to Vista without spending 
a lot more. 

Here's how the program works: Customers who pur¬ 
chase a new Windows XP PC from a participating system 
builder or PC manufacturer, such as HP or Dell, can qualify 
for a free or low-cost upgrade to a comparable Vista product 
edition. However, confusion can arise because Microsoft 
doesn't offer the Express Upgrade directly, but in tandem 
with participating PC makers. Consequently, you need to 
ensure that the program covers the PC you buy during the 
qualification time period. 


United States, and Vista Home Premium should cost about 
$79. Because neither Vista Home Basic nor Vista Home 
Premium can participate in Active Directory (AD)-based 
domains, these versions aren't suitable for use in home- 
based or small businesses. (To learn more about these 
upgrade options, see "Windows Vista Express Upgrade," 
http://www.winsupersite.com/showcase/winvista_express_ 
upgrade.asp.) 


Another Upgrade Route 

Microsoft also offers another upgrade path, though the 
company has yet to reveal its cost. Because every Vista 
product edition ships with the same installation DVD (only 
the product key used during setup determines which ver¬ 
sion is installed), Microsoft can support in-place upgrades 
from certain Vista versions to others. This feature, called 
Windows Anytime Upgrade, will let you, for example, elec¬ 
tronically upgrade your copy of Vista Home Basic to Vista 
Home Premium or Vista Ultimate. You can also use this 
method to upgrade from Vista Home Premium or Vista 
Business to Vista Ultimate. 

Technically, then, it will be possible to buy an XP Home 
Edition PC in early 2007, get an Express Upgrade to Vista 
Home Basic, and then use Windows Anytime Upgrade to 
upgrade to Vista Ultimate. The result is a PC that will be able 
to connect to AD-based infrastructures and access other 
business-oriented Vista features, such as Remote Desktop. 
Whether such an upgrade is financially viable remains to be 
seen, but what's interesting is that it's even possible. 



Paul Thurrott 

(thurrott@windowsitpro 
.com) is the news editor for 
Windows IT Pro. He writes 
a weekly editorial for 
Windows IT Pro UPDATE 
(http://www.windows 
itpro.com/email) and a 
daily Windows news and 
information newsletter 
called Winlnfo Daily 
UPDATE (http://www 
.wininformant.com). 


Qualifying Versions 

The big question, of course, is which XP versions qualify 
for which Vista versions. Customers who purchase a PC 
that has Windows XP Professional Edition or XP Tablet 
PC Edition preinstalled will be able to get a free—or nearly 
free (you might have to pay a shipping and handling 
charge)—upgrade to Vista Business. PCs and worksta¬ 
tions with XP Professional x64 Edition preinstalled qualify 
for a free or inexpensive upgrade to Vista Business 64-bit 
edition. 

On the consumer side, PCs preinstalled with XP Media 
Center Edition 2005 qualify for a free or inexpensive upgrade 
to Vista Home Premium. Customers who purchase a PC with 
XP Home Edition qualify for an upgrade to Vista Home Basic 
or Vista Home Premium at a cost of 50 percent of the retail 
price of the Vista upgrade edition of the product. Thus, an 
upgrade to Vista Home Basic should cost about $49 in the 


Recommendations 

Microsoft typically offers individuals a way to ensure that 
new PCs purchased shortly before the release of a new OS 
version won't quickly become outdated. Express Upgrade 
isn't much different than previous coupon-based pro¬ 
grams, which is really too bad: Rather than relying on PC 
makers to distribute these upgrades, Microsoft should have 
let customers pursue other options, including downloading 
the Vista upgrades when they become available. The other 
problem is cost: Because each participating PC maker sets 
its own fees for Express Upgrade, some might use the pro¬ 
gram as an excuse to add to their bottom line. 

My advice for individuals and small businesses is to wait 
for Vista-based PCs to appear in early 2007 and forgo Express 
Upgrade if possible. You'll get the best experience with Vista 
if you don't have to upgrade from XP yourself. ^ 

InstantDoc ID 94218 


™You O 
Know? 


For an in-depth review of 
Vista, including a look at 
the different product edi¬ 
tions, installation options, 
compatibility concerns, 
and new features, visit 
Paul Thurrott’s SuperSite 
for Windows at http:// 
www.winsupersite.com/ 
reviews/winvista.asp. 
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Blake Eno (products@windowsitpro.com) is product editor for Windows IT Pro and SQL Server Magazine. 


Replace Traditional Passwords with Multifactor Authentication 

Saflink announced Saflink EntryPoint 2.0, an information security solution that enables small-to-midsized businesses (SMBs) 
to replace standard password-based Active Directory (AD) log-on processes with a dedicated security appliance, client soft¬ 
ware, and USB tokens. Saflink also released two complementary products to EntryPoint 2.0—EP-Biometric and EP-Connect. 

EP Biometric replaces Windows passwords with multifactor authentica¬ 
tion and EP-Connect lets remote workers gain secure access to your 
company’s VPN and Outlook Web Access (OWA). For more information, 
contact Saflink. 

www.saflink.com. 800-388-4674 



Keep Your Offsite Workers Flexible and Mobile 

Data Viz announced updates to its mobile office suite for the Palm OS platform, Documents To Go 9.0, which lets your mobile users 
create, view, and edit Microsoft Office Word, Excel, and PowerPoint files on Palm OS mobile devices. Documents To Go has replaced 
its DocSync Technology—which requires wired synchronization between PCs and mobile devices to retain complex file formatting 
when a user views or edits files on a mobile device—with InTact Technology. This new technology retains original file formatting 
when you edit and email Office files on your mobile device and doesn’t require synchronization with your office PC. You can edit and 
email files from your mobile device in confidence that the formatting of the original document hasn’t 

changed. The software also features an integrated file explorer that lets you browse files on your device DataViz 


or an expansion card. For a complete list of Documents To Go pricing options, visit DataViz’s Web site. 

www.dataviz.com, 203-874-0085 


Compatibility. Instantly. 


Experience the Benefits of Going Virtual 

DataCore Software announced the addition of SANMelody Virtual Infrastructure Foundation to 
its SANMelody family of products, which convert PC servers into expansion disk servers. Virtual 
Infrastructure Foundation lets entry-level users and small-to-midsized businesses (SMBs) enjoy 
the benefits of virtualization by leveraging existing Ethernet and IP/LAN network interconnections 
to optimize storage space and automate capacity utilization across servers. The product is hardware-independent and lets you 
consolidate and manage as much as 3TB of storage. Virtual Infrastructure Foundation costs $948. 

www.datacore.com, 954-377-6000, 877-780-5111 



Product Spotlight 



Canary in a Coal Mine 

www.neonsoftware.com. 925-283-9771, 800-334-6366 

When it comes to rooting out bandwidth problems, Craig Isaacs, president of Neon 
Software, likes to take the “canary in a coal mine” approach. It’s essential to discover such 
problems immediately and gather “what” and “where” information because bandwidth is 
a valuable commodity. When mission-critical devices become overloaded or unavailable, 
customer relations, order processing, manufacturing, inventory, and telephone systems can 
all go down, resulting in lost productivity and revenue. Neon Software’s CyberGauge 70 for 
Windows helps network administrators monitor and manage Internet bandwidth by auto¬ 
matically creating real-time utilization graphs as well as daily, weekly, and monthly Quality of 
Service (QoS) and billing reports. With CyberGauge, companies can monitor and plan band¬ 
width usage and provide detailed documentation for audits and compliance. The product 
is priced according to the number of devices it monitors. Isaacs is particularly proud of his 
product’s Help system, which is extremely dynamic and “actually works!” 
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Today, Dan configured a switch in London, 
rebooted servers in Sydney, and watched his 
team score the winning goal in St. Louis. 

With Avocent data center solutions, the world can finally revolve around you. Avocent 
puts secure access and control right at your finger tips - from multi-platform servers to network 
routers, your local data center to branch offices, across the hall or around the globe. Let others 

roll crash carts to troubleshoot - with Avocent, trouble is on ice. 


To learn more, visit us at www.avocent.com/ice to download Data Center Control: 
Guidelines to Achieve Centralized Management whitepaper or call 866.277.1924 
for a demo today. 



The Power of Being There< 


Avocent, the Avocent logo and The Power of Being There are registered trademarks of Avocent Corporation. All other trademarks or 
company names are trademarks or registered trademarks of their respective companies. Copyright © 2006 Avocent Corporation. 


New & Improved 


EDITOR’S NOTE: Send new product 
announcements to products@windowsitpro.com. 

Monitor Bandwidth Usage and i 
Network Device Use 

Paessler AG announced PRTG Traffic Grapher 6.0, a network 
monitoring and bandwidth-usage solution. This Windows- and 
Web-based software helps you manage any size network, from 
small LANs to larger installations with thousands of sensors, 
by providing live readings and long-term usage trends. PRTG 
Traffic Grapher’s Web 2.0 approach lets you associate tags 
with sensors, which the software can then filter according to 
the tags. The Event Manager component keeps track of error 
messages and notifications for each sensor in your network, 
and the latency sensor monitors the network latency of devices 
or data lines to find overloaded network devices. PRTG Traffic 
Grapher pricing starts at $99.95 for the professional edition 
with a 25-sensor license. A freeware edition of the software 
with three sensors is available at Paessler’s Web site. 

www.paessler.com 

H3PAESSLER® 


Eliminate Scheduled 
Defragmentation 

Diskeeper released a new version of its defragmentation 
solution, Diskeeper 2007, that features InvisiTasking tech¬ 
nology to allow any system maintenance task to run invis¬ 
ibly in the background. This technology automatically and 
transparently handles fragmentation as it occurs, providing 
a better-running system and eliminating scheduled defrag¬ 
mentation. The software’s patented Intelligent File Access 
Acceleration Sequencing Technology (l-FASST) 2.0 can 
increase file access and creation speed over the speed of 
the original system by as much as 80 percent. Diskeeper’s 
Terabyte Volume Engine 2.0 defrags high-capacity and 
high-traffic servers with disk volumes containing hundreds 
of thousands to millions of files. Contact Diskeeper for 
pricing information. 

www.diskeeper.com, 818-771-1600, 
800-829-6468 




U Networks 





Simplify Identity and 
Access Management 


AIO Networks announced firmware updates to its IDsentrie 
platform, which simplifies identity and access management 
within your network. IDsentrie’s IP-address-to-user-identity 
(iP-to-ID) service lets you instantly identify users across 
your network, eliminating the time-consuming process of 
resolving IP addresses to individuals. The Universal Identity 
Resolver (UIR) utility lets you connect your existing secu¬ 
rity, networking, and identity resolution services. Additional 
IP-to-ID support has been added in IDsentrie for Windows 
NT 4.0 and Novell eDirectory. DHCP and authentication 
enhancements let IDsentrie quarantine unauthorized users 
until they can be authenticated. Password prompts and 
security questions are now offered in English, Chinese, 
and Japanese. 

www.alOnetworks.com. 

408-325-8668, 888-210-6363 


Manage Your Physical and Virtual 
Environment from One Console 

INSYSTEK announced new Virtualize IT management fea¬ 
tures that will appear in the 5.0 versions of the company’s 
systems management solutions. INSYSTEK’s Virtualize IT 
technology manages complex virtual infrastructures from a 
single console, enabling you to discover and map virtual envi¬ 
ronments, create virtual machines, and track physical and 
virtual relationships. The software provides a common Ul that 
manages VMware VirtualCenter and Windows desktops and 
servers. From this unified view, you can control and configure 
physical systems and virtual machines and resources. Virtu¬ 
alize IT solutions are also scalable and capable of handling 
thousands of servers and virtual machines. The software’s 
hierarchical management features let you manage at the Vir¬ 
tualCenter, folder, host, or resource pool level. 

www.insystek.com, 785-273-4100, 

♦ 

InstantDoc ID 94366 
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Announcing a 
breakthrough in 


automatic technology 




y 

Diskeeper 2007 marks the dawn of the first ever truly automatic software of its kind. As 
automatically as the sun rising, with Diskeeper 2007 deployed your systems will run faster - period. 
Through the use of brand-new InvisiTasking™ technology, Diskeeper eliminates potential problems 
on the fly, IN REAL TIME without affecting system resources or intruding on system demands. 

Moving beyond the concept of “Set It and Forget It,”® Diskeeper 2007 represents a 
quantum leap in system performance and reliability. Simply install the software — 
Diskeeper takes care of the rest. 

New! Real-time defragmentation automatically and transparently handles 
fragmentation as it occurs providing maximum system performance at all times! 

I-FAAST™ 2.0 (Intelligent File Access Acceleration Sequencing Technology) 
dramatically increases file access by up to 80% above and beyond the 
improvement of defragmentation alone. 



InvisiTasking provides truly 
transparent system 
maintenance by intelligently 
enhancing operating system 
multitasking to ensure continual 
maximum system performance 
and zero resource conflict even 
during periods of highest 
demand. InvisiTasking is the 
foundation for Diskeeper to 
eliminate fragmentation in real¬ 
time without affecting system 
resources or intruding on 
system demands. 


Terabyte Volume Engine™ 2.0 - Powerful defragmentation for high capacity & 
high traffic servers with disk volumes containing hundreds of thousands to 
millions of files (e.g. NAS, RAID, and SAN). Also allows unobtrusive, thorough 
free space consolidation on busy 24/7 servers. 

► FragShield™ dynamically prevents fragmentation of critical system files, 
maintaining system stability and reliability. 

► Automatic online directory consolidation boosts anti-virus scans and back-up speed. 

Every system will benefit from Diskeeper 2007. A site-wide Diskeeper installation will 
improve performance and reliability on all your systems. 

Experience the dawning of a new era in automatic system performance 
and reliability - get Diskeeper 2007 now! 


'SPFOIAI OFFFR: 


Try New Diskeeper 2007 
Free For 45 Days! 

www.diskeeper.com/win2007 

(Note: Special 45 day trial only available at the above link) 

Volume licensing and Government and 
Education discounts are available from your 
favorite reseller or call: 

800 829-6468 code 4389 





corporation 


©2006 Diskeeper Corporation. All Rights Reserved. Diskeeper, Enhancing File System Performance - Automatically, InvisiTasking, Terabyte Volume Engine, FragShield, l-FAAST, “Set It and 
Forget It” and the Diskeeper Corporation logo are registered trademarks or trademarks of Diskeeper Corporation in the United States and/or other countries. 

Diskeeper Corporation • 7590 l\l. Glenoaks Blvd. Burbank, CA 91504 • 800-829-6468 • www.diskeeper.com 
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Sana Tracks Emerging Threats 

u r\ ne thing going on right now,” says John Zicker, 

CEO of Sana Security (http://www.sanasecurity I 
.com) , “is that an intrusion such as a buffer overflow or 
code injection attack is no longer a single attack—it’s 
made up of multiple variants that each look a little dif¬ 
ferent.” These types of multipronged attacks are harder 
for signature-based antivirus products to keep up with 
because they require antivirus software vendors to create 
and distribute multiple signatures, instead of just one, to all 
their customers. And according to Sana’s findings, 70 to 75 
percent of malware is introduced into a network in this way. 
Sana’s technology for intrusion detection looks at 

the behavior of an application to determine whether it’s valid software or malware. So, that applica¬ 
tion doesn’t need to be continually updated with new signatures. A new product offering, Primary 
Response Memory Shield, takes a subset of the technology found in existing Sana products that 
detects these types of attacks and packages it at a lower price point aimed at small-to-midsized 
businesses (SMBs) or at less-critical servers in larger companies. 

An upcoming Sana product is the Active Malware Detection Technology Center, a Web-based 
portal that Zicker says will give subscribers visibility into threats as they emerge and that will be 
priced for SMBs on up. 

—Renee Munshi 


On the Road Toward More Intelligent Software 

H ave you ever asked yourself why enterprise networks are so difficult to manage? I recently 
spoke with Jay Litkey, CEO of Embotics Corporation (http://www.embotics.com) , about that 
very question. According to Jay, three factors contribute to the problem of manageability: First, vir¬ 
tually all enterprise management infrastructure is based on client-server architecture; second, the 
necessity for human interaction results in compromised availability while technicians diagnose and 
solve problems; and third, in-band management solutions necessarily rely on a functioning OS. 

The solution to the problem is to create software 
that can function autonomously and make decisions. In 
2001, IBM started an initiative to create self-managing, 
self-correcting computer systems to counteract the prob¬ 
lem of computers’ rapidly growing complexity. IBM called 
this initiative Autonomic Computing. With roots in telecom 
computing, Embotics follows the autonomic model by 
creating solutions that liberate admins from having to run 
around fixing things. By using remote management cards 
in servers and virtual partitions in workstations, Embotics 
software runs where it won’t be affected when systems 
go down. The software’s automated management func¬ 
tions are based on policy standards that map to Microsoft’s 
Dynamic Systems Initiative (DSI), resulting in independent, 
self-healing systems. ^ 

—Dianne Russell 
InstantDoc ID 94261 


Embotics 
follows the 
autonomic 
model by 
creating 
solutions that 
liberate admins 
from having to 
run around 
fixing things. 


iQstor Makes 
Storage Solutions 
Simple and Easy 
to Use 


■SHs 


E arly in iQstor Networks’ 

(http://www.iqstor.com) exis¬ 
tence, this storage vendor looked 
at the storage landscape and real¬ 
ized that the small-to-midsized 
enterprise (SME) and small-to- 
midsized business (SMB) seg¬ 
ments were underserved—and 
that situation remains unchanged 
today. In fact, IDC predicts that 
network storage will become a 
$5.7 billion market opportunity in 
the SME space by 2010. But to 
tap into this market, you have to 
understand the customer. 

I talked with iQstor’s Director 
of Marketing, Albert Saraie, and 
he told me that iQstor knows that 
SMBs and SMEs often lack the 
financial resources and IT staff 
depth and experience that enter¬ 
prise companies boast. All iQstor 
products are developed around 
the needs of SMBs and SMEs, and 
thus are easy to use and to man¬ 
age. iQstor’s new iQ2880 4GB FC 
Storage System is a high-perfor¬ 
mance 4GB Fibre Channel storage 
system with storage functionality 
such as virtualization, snapshot 
capability, replication, and provi¬ 
sioning. “This all-in-one solution 
is also much cheaper than what 
you’ll see in the market,” says 
Saraie. I asked him how iQstor is 
able to build this solution, with all 
its functionality, at a much lower 
price point than its competition. He 
replied that the answer is simple: 
“We own the technology.” 

—Blake Eno 
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What are the hardware requirements for running 
Windows Vista? 

Microsoft has published the hardware requirements for 
Vista at http://www.microsoft.com/technet/windowsvista/ 
evaluate/hardware/vistarpc.mspx. Basically, the PC 




must have: 

• a modern CPU 
512MB or more of memory 
a DirectX 9-class graphics processor (64MB of 
memory for the full Aero Glass experience) 

What are the upgrade paths to Windows Vista? 

Microsoft has released details about the available up¬ 
grade paths to the various versions of Vista. The Table 
lists these upgrade paths. Any other versions of current 
OSs, including Windows 2000 and 64-bit versions of 
Windows XP, can’t be upgraded and will require a clean 
installation. 

What are taskbar thumbnails in Windows Vista? 

The Vista taskbar has been given an overhaul. Now 
when the mouse rests over an item on the taskbar, a 
live thumbnail of the application content is displayed. 

For example, the Windows Media Player (WMP) 
thumbnail would show video in real-time; a photo 
application would display a photo; and Microsoft Word 
would show the document. 






























Q: Where can I get new gadgets for Windows Vista 
Sidebar? 

A: Additional gadgets for Vista Sidebar are available at 
http : //qallerv.micro s oft.com/Results .aspx?vista=landinq 

&rdm=593944&l=1 &tj_=2 

• After you download the .gadget file, execute it and 
you’ll be prompted to install it. 

• After installing the file, click the plus sign at the top of 
the Windows Sidebar screen to make the new gadget 
available. To uninstall a gadget, simply right-click it 
and select uninstall. 


Q: Is the Windows Image (WIM) format used by the 
Microsoft Systems Management Server (SMS) OS 
Deployment Feature Pack the final version that 
Windows Vista will use? 

A: No, the WIM format that the SMS OS Deployment Fea¬ 
ture Pack uses can be thought of as version 0.9 of the 
WIM format, whereas Vista will ship with version 1 of the 
format. SMS 4.0 will fully support the Vista WIM format 
(1.0) and potentially an update will be made available to 
make SMS 2003 Vista WIM format compatible. The new 
Vista deployment tools (e.g., Ximage) will work only with 
version 1 WIM files and not files created with the SMS 
Deployment Feature Pack. 


Q: How do I log on to Windows Vista using a domain 
account? 

A: The domain drop-down dialog box doesn’t appear on the 
Vista logon screen. Instead, you need to include the do¬ 
main name as part of the username. For example, user 
John in domain savilltech.com would log on with a user- 
name ofjohn@savilltech.com. You can also use <Net- 
bios domain name>\<username> (e.g., savilltech\john). 


Q: 

A: 


In Windows Vista, how can I change the picture 
associated with my domain account? 

In Vista, even domain accounts have a picture associ¬ 
ated with them. The easiest way to change this picture is 
to select Start and click the current image. This opens the 
User Accounts Control Panel applet. Select “Change your 
picture” and a list of available images is displayed. You 
can also click “Browse for more pictures” to look for some¬ 
thing more unique. This new image will then be used in all 
locations, including the Start menu and logon screen. 
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Your global business 
is connected to your distributor 
is connected to your customer 
is connected to your IT infrastructure 
is connected to the nonstop flow of data 
which our software protects so your 
business is always open for business. 




Confidence in a connected world 


Symantec 


symantec.com/confidence 


























Reviews 


Paul’s 

Picks 

Summaries of 
in-depth product 
reviews on Paul 
Thurrott’s 
SuperSite for 
Windows 
http://www.winsupersite.com 

Windows Vista 

PROS; Safest, most secure Windows 
yet; dramatically better deployment 
technologies 

CONS: Two years late to the party; 
confusing array of product editions; fewer 
features than promised 
RECOMMENDATIONS: For businesses, 
migrating to a new Windows version 
is always a dicey, expensive affair, but 
Windows Vista should allay some of 
those fears with its excellent hardware 
and software compatibility as well as 
its enhanced upgrade and migration 
facilities. Obviously, it’s only a matter 
of time before you upgrade. The only 
question is: When? 

CONTACT: Microsoft • 800-426-9400 • 

http://www.microsoft.com 

FULL REVIEW: http://www.winsupersite 

.com/reviews/winvista.asp 

Office 2007 

PROS: Innovative new Ul makes it easier 
to find previously hidden features 
CONS: Only some Office applications get 
the new Ul treatment 

RECOMMENDATIONS: Office 2007 is a 



Asigra Televaulting 6.2 

A sigra’s Televaulting 6.2 is an offsite backup solution 
for distributed organizations. The Televaulting DS- 
Client resides on a single computer at the remote site and 
collects files and data for the entire organization. Through 
an agentless architecture, the DS-Client encrypts and 
compresses SQL Server, Exchange Server, and file data 
before transmitting it to the offsite DS-Server. A site 
administrator can perform a full recovery or retrieve indi¬ 
vidual files from the client console without the involve¬ 
ment of an administrator at the DS-Server. 

I deployed Televaulting to a small business running 
Windows 2000 Server and Microsoft SQL Server 7.0. 

The installation and setup was relatively straightforward. 

For the DS-Client and DS-Server to communicate, I had 
to modify the firewall. Unfortunately, the documentation 
failed to explain exactly which ports and protocols to open 
or even that this was a necessary step in deployment. I was able to deduce which ports to open from the 
installation wizards, but the documentation should have included an explicit router-configuration step. 

The DS-Client uses Advanced Encryption Standard (AES) for storage and transmission of data. Tel¬ 
evaulting also features differential backup capability. After the initial backup, the application transmits 
only changed files and records, so additional backups are significantly smaller. The DS-Client identifies 
the changed data, then compresses and encrypts the data, providing for a highly efficient transfer. 

Asigra’s marketing materials claim that Televaulting’s compression algorithms can achieve as much 
as a 4 to I compression ratio. With a blend of SQL Server database and file data totaling 6GB, I achieved 
about a 3 to I compression ratio. Asigra’s Single Instance Storage (SIS), which identifies files by using a 
hash function, could potentially result in larger compression ratios over larger backups. This sort of com¬ 
pression starts to make offsite backup more viable. 

The client/server architecture of Televaulting mirrors a service-provider architecture. In fact, Asigra 
also sells Televaulting to service providers who can then offer this solution to smaller clients. The 
service-provider architecture also means that the client can initiate backups and perform restores. In an 
enterprise, doing so could offload operations from data center personnel onto branch office administra¬ 
tors or advanced users. 


Summary 


Asigra Televaulting 6.2 

PROS: This offsite backup solution can solve all 
of an enterprise’s needs out of one box: secure 
and compressed storage with easy restores 
CONS: Confusing architecture, documentation 
missing vital information, doesn’t make use 
of Microsoft Volume Shadow Copy Service, 
doesn’t handle opened files well 
RATING: ♦♦♦♦< 

PRICE: First five 200GB increments of com¬ 
pressed data at $11,250 each. Additional 
storage at $7,500 per terabyte 
RECOMMENDATION: Large distributed enter¬ 
prises will find this a cost-effective and eas¬ 
ily implemented backup solution. 

CONTACT: Asigra • 416-736-8111 ext. 101 • 
http://www.asigra.com 


blockbuster upgrade, and five of its 
applications—Word, Excel, PowerPoint, 
Access, and, to a lesser degree, Outlook- 
display a major Ul change that drops the 
old menu-and-toolbar system for a new 
interface paradigm based on tabs and 
ribbons. It sounds silly, but this new Ul 
makes it easier than ever before to find 
features you never knew existed in Office 
and to create fantastic-looking documents. 
Office 2007’s training costs do not appear 
to be as high as previously thought. This 
is one Office upgrade you’re going to 
want to seriously consider, and its server 
components, such as a new SharePoint, 
are excellent as well. Highly recommended. 
CONTACT: Microsoft • 800-426-9400 • 
http://www.microsoft.com 
FULL REVIEW: http://www.winsupersite. 
co m/re vi e ws/of f i ce2007. as p 

InstantDoc ID 94385 


In my testing, I discovered that Televaulting running on a Windows server has no mechanism to 
make use of Microsoft Volume Shadow Copy Service (VSS). Furthermore, some files were locked when 
I performed the initial backup and weren’t packaged by the client. Although not backing up locked files 
is a common problem with older backup applications, I’m surprised that such a high-end application 
doesn’t have a resolution for this common problem. 

As an enterprise-class application, Televaulting will likely be deployed in a data center. Televaulting 
DS-Server employs a SQL Server database, the long-term storage module uses the open-source Post- 
greSQL database, and the Web module is built on Apache Tomcat and a MySQL database. If all these 
components are working, running them isn’t much of a concern. However, you need to consider whether 
the added complexity of supporting all these databases for such a mission-critical system is worth the 
effort in your environment. 

Large organizations with remote or branch offices and terabytes of data to protect will find Televault¬ 
ing a cost-effective and malleable solution for their backup challenges when compared to the hardware 
and labor costs of a traditional tape-based backup strategy. For the full-length version of this review, go 
to http://www.windowsitpro.com and enter InstantDoc ID 94096. ^ 

InstantDoc I D 94096 
—Joel B. Barker 



Aeshen is the official product review lab for Windows IT Pro and 
SQL Server Magazine. To learn more, go to http://www.aeshen.com/lab 
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Activeworx Security Center 3.5 


C rossTec Corporation’s 

Activeworx Security Center 
3.5 (ASC) monitors security- 
related events for a wide array 
of devices from a single console. 
The learning curve is steep for 
administrators new to SNMP, 
syslog, Windows Management 
Instrumentation (WMI), Snort, 
and the other monitoring meth¬ 
ods and protocols the product 
targets. Installation is fairly 
straightforward, but the Ul is a 
little confusing, and you need 
to perform a lot of post-installa¬ 
tion configuration on monitored 
devices to collect syslog and 
SNMP data. 

An illustrated Quick Start 
guide and an Evaluator's Guide 
are included with the software. 
The Evaluator's Guide helps 
users learn how to configure 
ASC components such as the 
collectors, which gather event 


information, and the data¬ 
bases, which store collected 
event information. 

You manage ASC through 
the desktop application. The 
customizable dashboard gives 
a graphical overview of the 
ASC configuration, including 
which devices are defined 
and where they send logging 
information. 

Devices, device groups, and 
rules for event handling are 
managed in the Resources sec¬ 
tion of the desktop. There is no 
autodiscovery for devices; each 
device, called an Asset, must 
be created manually, as must 
device groups and rules. You 
can create, manage, and sched¬ 
ule tasks such as automatically 
generating reports or gathering 
event data from devices at timed 
intervals in the Task Manager 
and Task Scheduler. 


You can create rules for 
event handling and alerting. A 
drag-and-drop interface helps 
you design the rules, and some 
basic knowledge of flowcharting 
will go a long way toward help¬ 
ing you successfully create rules 
to handle events. 

Support for ASC is avail¬ 
able through CrossTec’s Web 
site or by phone. ASC fills a 
unique niche for those organi¬ 
zations that need more robust 
security monitoring than 
less expensive basic server 
monitoring packages afford, 
yet don’t need the complexity 
or expense of a full-featured 
enterprise network suite. For 
the full-length version of this 
review, go to http://www 
.windowsitpro.com and en ter 
InstantDoc ID 94428. ^ 

—Karl D. Middlebrooks 
InstantDoc ID 94428 


Summary 


Activeworx Security 
Center 3.5 

PROS: Good monitoring of syslog 
and Windows event log events; 
good variety of reports and 
graphs; very flexible and power¬ 
ful for the price; rule-triggered 
event monitoring 
CONS: Setup and management 
can be tedious; Ul is occasionally 
confusing 

RATING: ♦♦♦♦O 
PRICE: Begins at $2495 per site 
RECOMMENDATION: 

Recommended for medium-sized 
businesses that need to 
monitor a large number of 
network devices, particularly 
if compliance reporting is 
required. 

CONTACT: CrossTec Corporation 
• 800-675-0729 • http://www 
.crossteccorp.com 


Document Control 6.0 


Summary 


L iquid Machines’ Document 
Control 6.0 lets you make 
policies to control who has read, 
write, and print access to your 
company’s sensitive documents. 
Document Control 6.0 works as 
either a standalone document 
control system or with RMS to 
secure sensitive documents that 
are exchanged between employ¬ 
ees and customers. 

Installing the product was 
simple and intuitive. Built on the 
Microsoft .NET Framework, Doc¬ 
ument Control 6.0 requires SQL 
Server 2000 to store all docu¬ 
ment access information under 
control. (A separate SQL Server 
license is also required.) You 
access document control admin¬ 
istration through a Web interface 
where policies, reports, and set¬ 
tings are created and adminis¬ 


tered.The Document Control 6.0 
client must be installed on the 
local machine for viewing any of 
the documents that are under its 
policy control. 

I looked at Document Con¬ 
trol 6.0’s auditing reports on 
the server. These reports were 
comprehensive and gave a good 
overview of how documents 
were successfully or unsuc¬ 
cessfully accessed. I was also 
impressed with how helpful 
and courteous all the Liquid 
Machines representatives were. 

Although Document Control 
6.0 is basically an extension 
of RMS, it provides better 
coverage of document control 
than RMS does. Document 


Control 6.0 can benefit a 
variety of industries, includ¬ 
ing the medical, financial, and 
manufacturing industries. 
Document Control 6.0 can be 
implemented in any size com¬ 
pany, but it’s cost-prohibitive 
for smaller companies. This 
product is worth the invest¬ 
ment for large companies that 
have sensitive documentation 
that needs to meet compliance 
regulation and is shared (inter¬ 
nally or externally) on a regular 
basis. For the full-length ver¬ 
sion of this review, go to http:// 
www.windowsitpro.com and 
enter InstantDoc ID 94045. ^ 
—Michael Cassens 
InstantDoc ID 94045 


Document Control 6.0 

PROS: Extends RMS, works with 
AD, provides support in a wide 
range of industries, and is easy 
to use 

CONS: Works with only Windows 
machines and stores data in a 
SQL Server 2000 database 
RATING: ♦♦♦♦O 
PRICE: Starts at $30,000 for as 
many as 100 users 
RECOMMENDATION: This prod¬ 
uct is useful for enterprise-level 
corporations where the need to 
secure sensitive documentation 
outweighs the product’s cost. 
CONTACT: Liquid Machines • 
877-885-4784 • www.liquid 
machines.com • info@liquid 
machines.com 


// Aeshen is the official product review lab for Windows IT Pro and 
AES hen: SQL Server Magazine. To learn more, go to http://www.aeshen.com/lab 
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Buyer’s Guide 




Antispam Solutions for Business 

Second-generation email protection for your organization 


H istorically, spam filtering has occurred at ISPs, 
on enterprise gateways (e.g., a DMZ server), on 
mail servers, and on desktops. These strategies, 
especially when they're combined to create a multilayered 
solution, have been effective in reducing the amount of 
spam users receive in their mailboxes. But increases in 
spam create slower mail server processing rates as well as 
require additional storage for messages flagged as potential 
spam. That's why many organizations are looking to replace 
their first-generation spam software solutions either with 
a spam-filtering appliance or by entrusting spam-filtering 
tasks to a hosted service. This Buyer's Guide will help you 
evaluate spam-filtering appliances and hosted services so 
you can choose the technologies that provide the best email 
protection for your organization. 

Purchasing an Appliance 

Spam appliances are standalone devices with OSs designed to 
filter spam. You can deploy spam appliances atyour network's 
entry point or in front of your mail server. Many appliances 
come with preconfigured rules, policies, and lists (e.g., black¬ 
lists, whitelists, vendors' proprietary lists) and are designed to 
be ready to perform out of the box. Most appliances include 
a Web-based UI that lets you centrally and remotely manage 
email policies and rules, search for and release quarantined 
email, and generate real-time and historical reports. 

Most appliance vendors supply daily spam rules updates 
to keep their appliance effective against the latest threats. 
Some vendors provide this update service free for one year 
when you purchase their appliance; other vendors offer their 
update service on a subscription basis at additional cost. An 
advantage of purchasing an appliance is that no user licenses 
are required. You purchase an appliance that accommodates 
the number of email users in your organization or the average 
number of daily email messages your organization sends and 
receives. In general, appliances offer better ROI for organiza¬ 
tions with more than 100 users. 

Using a Hosted Service 

Hosted services filter email messages before they reach an 
organization's email server. Using a hosted service reduces 
server resource usage, requires no additional hardware or 
software purchases, and means messages identified as poten¬ 
tial spam are stored at the host site. Often, hosted service 
providers can respond quickly to newer forms of spam. 

Larger organizations often use hosted services to sup¬ 
port additional email functions such as outbound filtering 

Co 


and encryption and adherence to compliance policies, but 
hosted services are also suited for small companies with 
100 employees or less or that aren't ready to hire a mail 
administrator. Number of email users is usually the price 
determinant in hosted services; the more email users you 
have, the higher in cost the service becomes. 

Many service providers make additional services avail¬ 
able, including automatic disaster recovery and failover, 
offsite message archiving (for compliance and business 
continuity), data redundancy, IM protection, and outbound 
filtering. The inclusion of one or more of these services can 
affect the price of a hosted service plan. 

Making Your Choice 

The most basic requirements for antispam protection are 
a comprehensive hosted service plan or an easy-to-install 
appliance that guarantees high spam protection (a capture 
rate of at least 97 percent) and a low false-positive rate. When 
investigating hosted services, look at the uptime that the 
service level agreement (SLA) guarantees and the message 
latency rate. It's important that a hosted service queue mes¬ 
sages if your network experiences downtime or a connection 
fails. Also check to make sure that an appliance or hosted 
service you're investigating supports your email servers, is 
LDAP-compliant, and can handle multiple domains. The 
more protection mechanisms—for antivirus, antispoofing, 
antispyware, and antiphishing support—and filtering tech¬ 
nologies a service or appliance supports, the better. 

To effectively manage spam, mail administrators should 
look for products or services that provide a Web-based inter¬ 
face (possibly supporting multiple languages for global users) 
that lets them remotely monitor and access quarantined, 
blocked, or deleted spam messages; manage policies (such 
as customizing policies for different domains, user groups, 
and individual users), rules, and lists; perform user-account 
administration; and generate reports (some products have 
dashboard displays that provide real-time statistics). 

Choosing the Best Solution 

The key factors you want to keep in mind are ease of use, 
superior rate of filtering, scalability, pricing structure, 
customer service and implementation or installation assis¬ 
tance, and related features or services available that might 
offer valuable functionality in the future. The table on page 
20 will help you compare the functionality and features of 
various spam-filtering appliances and hosted services. 

InstantDoc I D 94326 
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Buyer’s Guide I Antispam Solutions for Business 
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Company 

Product 

Price 

Exchange Versions 
Supported 

Blocks, Deletes, 
Forwards to Bulk 
Mailbox, and 
Quarantines 

Suspect Items 

Preconfigured 

Spam Rules 

Provided 

Update Service 

Available 

APPLIANCES 

Barracuda Networks 
408-342-5400 

Barracuda Spam 
Firewall 200 

Pricing begins at 
$1399 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

888-268-4772 

http://www.barracuda.com 

Barracuda Spam 
Firewall 300 

Pricing begins at 
$1999 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 


Barracuda Spam 
Firewall 400 

Pricing begins at 
$3999 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

IronPort Systems 

650-989-6500 

877-641-4766 

http://www.ironport.com 

IronPort C-Series 
Email Security 
Appliance 

Pricing begins at 
$2639 (includes sup¬ 
port and updates) 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

Secure Computing, Inc 
800-379-4944 
http://www.securecomputing 
.com 

IronMail 

Messaging 

Gateway Security 

Pricing begins at 
$5995 

All SMTP-compatible 
mail servers 

Blocks spam before it 
gets to email server; 
doesn’t forward spam to 
bulk mailbox or quaran¬ 

Yes 

Yes 





tine potential spam 



SurfControl 

831-440-2500 

800-368-3366 

http://www.surfcontrol.com 

RiskFilter 

Contact vendor 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

Symantec 

408-517-8000 

800-441-7234 

http://www.symantec.com 

Symantec Mail 
Security 8200 
Series 

$3065 for as many as 
100 users (includes 
support and updates) 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

Vircom 

514-845-1666 

888-484-7266 

http://www.vircom.com 

ModusGate 

$5000 for as many 
as 50 users (includes 
updates) 

All SMTP-compatible 
mail servers 

Doesn’t forward spam 
to bulk mailbox 

Yes 

Yes 

WatchGuard Technologies 
800-734-9905 

206-521-8340 

http://www.watchguard.com 

spamBlocker 

Pricing begins at $450 

All SMTP-compatible 
mail servers 

Quarantine feature 
will be supported in a 
future release 

Yes 

Yes 

SERVICES 

AppRiver 

850-932-5338 

866-223-4645 

http://www.appriver.com 

SecureTide 

Contact vendor 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

Clearswift 

650-508-3101 

http://www.clearswift.com 

MIMEsweeper for 
Exchange 5.2 

$13,000 for as many 
as 1000 users 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

MessageLabs 

866-460-0000 

http://www.messagelabs.com 

MessageLabs 

Email Protect 

Pricing begins at $2 
per user per month 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

Postini 

650-486-8100 

866-767-8461 

http://www.postini.com 

Postini Perimeter 
Manager 

Enterprise 

$43,000 for 2 years 
for as many as 1,000 
users (includes sup¬ 
port and maintenance) 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

St. Bernard 

858-676-2277 

800-782-3762 

http://www.stbernard.com 

Singlefin Security 
Services 

Pricing begins at 
$2.95 per user per 
month 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 

Symantec 

408-517-8000 

800-441-7234 

http://www.symantec.com 

Symantec Hosted 
Mail Security 

$2 per user per month 

All SMTP-compatible 
mail servers 

Yes 

Yes 

Yes 



EDITOR’S NOTE: Some vendors that you might expect to see in this Buyer’s Guide said they didn’t have a product that exactly matched the criteria or didn’t 
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Real-Time Rules 
Updates 

National Language 
Filters Available 

Configurable 

Policies 

Bayesian Filtering 
Used 

Allows Per-User 
Quarantining 

Customizable 
Filter Settings 

1 

Content-Analysis 

Tool Provided 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

No; uses IronPort’s 
Threat Operations 

Center 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Bayesian-like analysis 
can be configured 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

As a subscription-based 
add-on 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

No; uses Recurrent 
Pattern Detection 

Will be supported in a 
future release 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

No; uses SpamLogic 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

No 
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BY PAUL THURROTT 

F or the first time since Windows NT 
Server, Microsoft has improved how 
users, enterprises, PC makers, and 
OEMs configure, install, and deploy 
Windows. New capabilities, such as 
offline servicing and the ability to 
create just one install image for mul¬ 
tiple hardware configurations, make Windows 
deployment easier than ever. But if you're an IT 
administrator who'll need to deploy Windows 
Vista either now or in the future, you've got a 
lot to learn. 

It’s All About Image 

Vista is deployed via a file-based image—simi¬ 
lar to an ISO or virtual hard disk file—instead 
of a complex directory structure of files. You 
can edit a Vista image live and can easily create 
custom install images. Furthermore, Microsoft 
is distributing only one Vista image instead 
of a different image for each product edition. 
(Technically, there are actually two images: one 
for 32-bit versions and one for x64 versions.) 
The product key you use during installation 
determines which edition is installed from 
the image and which features are available to 
the user. Vista is also internally componen- 
tized, making it easier to choose exactly which 
applications and features will be installed. 
(For information about Vista's componenti- 
zation, see the Web-exclusive sidebar "Vista 

DID YOU KNOW? 

Paul Thurrott's SuperSite for Windows 
provides several Windows Vista resources, 
including his Windows Vista Review series, 
RTM screenshot galleries, and the Windows 
Vista FAQ. Check it out at http://www 
.winsupersite.com. 
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Componentization," http://www.windows 
itpro.com, InstantDoc ID 94189.) 

Using simple drag-and-drop techniques 
(or scripting and command-line tools), you 
can easily update the Vista installation image 
with new device drivers, languages, service 
packs, and other features without having to 
go through image recompilation. Changes to 
images occur in real time, and you can base 
install images on other install images. For 
example, if you needed to roll out multiple lan¬ 
guage versions of Windows XP, you'd have to 
create a separate install point for each version. 
With Vista, you can create one language-free 
install image and then add language images on 
the fly, saving disk space and freeing you from 
having to maintain multiple install points. 

Windows Imaging Format (WIM) images 
achieve smaller-than-expected file sizes by 
combining standard compression technology 
with Single Instance Storage (SIS) technology, 
which allows an image file to contain only one 
instance of each file, even when the image file 
contains multiple install images. You can edit a 
WIM image offline or mount it as a folder in the 
file system and work with it as you would any 
other folder. This capability will be revelatory 
to those used to the drudgery of maintaining 
and administering Remote Installation Ser¬ 
vices (RlS)-based client install points. 

Tools of the Trade 

Microsoft makes WIM management tools 
available in the Windows Automated Instal¬ 
lation Kit (WAIK). The WAIK's collection of 
tools includes 

• ImageX—a command-line tool that lets you 
capture and modify WIM-based disk images 

• Windows Preinstallation Environment 
(WinPE)—a miniature, bootable version of 
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Vista that can exist in RAM and bootstrap 
the Vista install process 

• Windows System Image Manager—a tool 
that builds next-generation answer files, 
which Windows Setup uses to apply cus¬ 
tom settings for hands-off Vista installs 

• Windows Deployment Services (WDS)—a 
new tool that replaces RIS 

I discuss all these tools a little later. 

Out on a WIM: Examining 
a Vista Install Image 

ImageX lets you view and modify Vista install 
images so that they can be deployed from a 
custom install DVD or a network file share. To 
edit the install image, copy install.wim to the 
hard disk of a system on which you've installed 
the WAIK. Then, open the WinPE tools com¬ 
mand prompt from the WAIK Start Menu folder. 
This version of the command prompt includes 
paths for various WAIK command-line tools, 
including ImageX. Right-click the command 
line tool's icon in the Start Menu and choose 
Run as Administrator, clearing any User Account 
Protection dialog boxes that appear. 

Create a folder (e.g., C:\mount) in the file 
system where the image will be mounted. You 
can then use ImageX's Mount (view only) and 
Mountwr (read/write) commands to mount, 
view, and customize the installation image. If 
your install.wim file is stored in C:\images and 
you want to mount it in C:\mount, you'd use 
the command 

imagex /mountrw 

c:\images\install.wim 1 c:\mount 

Now, if you open My Computer and navi¬ 
gate to C:\mount, you'll see the standard Vista 
folder structure, with the Program Files, Users, 
and Windows folders in the root. If you display 
hidden and protected files, you'll also see items 
such as $Recycle.Bin, Documents and Settings, 
and ProgramData. You can add files or even 
entire directory structures to the resulting Vista 
installation wherever is appropriate within 
the mounted image. (Copy and paste seems 
to work more consistently than does dragging 
files in Windows Explorer.) You can also view 
the contents of files within the image and edit 
individual files. 

After making changes to the image, 
unmount it—which removes it from the 
namespace of the Windows shell on your 
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Figure 1: Viewing Components and Packages in the Answer File pane 


PC—and save your changes. To make ImageX 
write the changes back to the original file, you'd 
type 

ImageX /unmount /commit c:\mount 

Writing changes back to the original file could 
take a while because install.wim is quite large. 
To unmount the image without saving your 
changes, type 

ImageX /unmount c:\mount 

A big benefit of image-based deployment 
tools is that you can copy an image and then 
edit the copy. Because the images are single 
files, they're easy to manipulate in the file 
system. 

To slipstream a service pack or hotfix into 
a Vista install image, simply copy the update's 
executable into the Upgrade folder in the root 
of the install image. There are no complex 
command-line scripts to run or key codes to 
remember. 

Working with Answer Files 

Although it's possible to use an install image to 
trigger a remote Vista install, doing so will give 
you only a network-based version of interac¬ 
tive setup, forcing the user (or more typically, 
an administrator) to manually install the OS. 
By pairing an install image with an answer file 
(i.e., a text file containing the responses to Win¬ 
dows Setup dialog boxes), you can arrive at a 
fully automated Vista install that's customized 
for your needs. First, you need to create a mas¬ 


ter installation by adding an answer file and a 
Vista install image to a bootable DVD. You can 
then let the DVD run using just the WAIK tools. 
Alternatively, you can deploy master installa¬ 
tions by using ImageX and WinPE. 

Vista replaces Windows 2000's Setup Man¬ 
ager with Image Manager, and the text-based 
answer files have been superseded by XML 
versions. The XML answer files are harder to 
hand-edit (unless you're conversant in XML), 
but they're standards-based and more elegant 
than the old format. Microsoft has also created 
a new Windows catalog (.clg) file type, which is 
a binary (i.e., non-text) data file that's managed 
by Image Manager and contains the state of all 
the settings and packages in a given Windows 
image. If you look in the Sources folder on a 
Vista install DVD, you'll see a .clg file for each 
Vista product edition. 

To create an answer file, open Image Man¬ 
ager (click Start Menu, All Programs, Micro¬ 
soft Windows AIK, Windows System Image 
Manager). Then click File, Select Windows 
Image and locate a copy of install.wim in the 
File Open dialog box. (The file must be on the 
local hard disk, not on the install DVD.) Image 
Manager will prompt you to select an image. 
Typically, the image will include all the stan¬ 
dard Vista product edition types. 

After selecting the image type (I'll use Vista 
Ultimate as an example), click OK, and Image 
Manager will mount the image file and create 
an associated .clg file. When the process is 
complete, you'll see that the Windows Image 
pane in Image Manager now contains the Vista 
Ultimate image, from which you can select 
components and packages. Select New Answer 
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File from the File menu, and the Answer File 
pane will contain new Components and Pack¬ 
ages sections, as Figure 1 shows. 

Components are internal Vista features (e.g., 
Remote Assistance, Windows Sidebar) that you 
can apply during Windows Setup. In Image 
Manager, you can specify the configuration 
pass—or phase of Windows installation—in 
which particular components are installed. 
Packages are external applications and features 
(e.g., service packs, hotfixes, language packs, 
drivers) that you can add to an install image. 
You can also enable and disable Windows 
features via packages. 

It might at first appear that there's some 
overlap between components and packages, 
since you can use packages to enable and 
disable Windows features. But think of it this 
way: Components are internal to Windows, 
and packages are external. IT administrators 
or PC makers typically use packages to disable 
or enable certain Windows features, overriding 
the Microsoft-specified default behavior. 

You'll see seven entries under Components 
in the Answer File pane: windowsPE, offline- 


Servicing, generalize, specialize, auditSystem, 
auditUser, and oobeSystem. By default, there 
aren't any specified packages because this is a 
bare-bones install image. 

You can expand the Components and Pack¬ 
ages nodes in the Windows Image pane to see 
which components and packages are available 
for editing. You should see many components 
and a short list of packages. As you select items 
from the list, they populate the Properties pane 
so that you can edit properties. 

For example, let's edit the default home page 
in Microsoft Internet Explorer (IE) so that it's 
a custom location. To do so, expand Compo¬ 
nents and locate the x86_Microsoft-Windows- 
InternetExplorer-6.0.xxxx.xxxxx_neutral node, 
where xxxx.xxxxx is the version number of the 
OS you're installing. Expand the Components 
node, then the StartPages subnode. To change 
the home page setting, right-click the StartPage 
subnode (under StartPages) and select Add Set¬ 
ting to Pass 4 specialize, as you can see in Figure 
1. (It's the only option available.) A collapsible set 
of component changes is added to 4 specialize in 
the Answer File pane. 


When you select StartPage in the Answer 
File pane, various StartPage properties appear 
in the Properties pane, including the StartPa- 
geUrl field under Settings. To add a custom 
URL, type it in that field and press Enter. After 
the new setting is accepted, the text will be 
bolded. 

The sheer number of components you can 
configure can be overwhelming. Let's look at a 
few common components and their locations 
in the Components hierarchy. 

To automatically specify a username, right- 
click the Components, x86_Microsoft-Win- 
dows-Setup_6.0.xxxx.xxxxx_neutral, UserData 
setting and select Add Setting to pass 1 Win¬ 
dowsPE of Vista Setup. This component is 
used to specify the username and organiza¬ 
tion and determine whether the End User 
License Agreement is automatically accepted. 
To automatically add a product key, add the 
Components, x86_Microsoft-Windows-Setup_ 
6.0.xxxx.xxxxx_neutral, UserData, ProductKey 
setting to the first phase of Vista Setup. Be sure 
to change the WillShowUI key to Never and 
specify the product key. 
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To configure packages, expand the Pack¬ 
ages node under your install image in the 
Windows Image pane. By default, you should 
see packages such as FeaturePack, Founda¬ 
tion, LanguagePack, and Product, as Figure 
2 shows. FeaturePacks are out-of-band addi¬ 
tions, and Vista includes two by default: .NET 
Framework 3.0 and XML Paper Specification 
(the Microsoft format that competes with 
PDF). Foundation is the base OS (aka MinWin) 
component on which all Vista installs are built. 
Under LanguagePack, you should see at least 
two nodes (one for Windows and one for the 
.NET Framework)—more, if you're using a 
multilanguage version of Vista or are manually 
adding languages. Under Product, you'll see 
the component Microsoft added to MinWin to 
build the Vista product edition you're working 
with (in this case, the Vista Ultimate package). 

Some packages offer interesting customiza¬ 
tion features. For example, you can go into the 
Foundation package and enable and disable 
specific features, such as InboxGames (which 
lets you enable or disable individual games), 
Tablet PC optional features, and the Micro¬ 
soft Internet Information Services (IIS) Web 
server. To customize a package, right-click it 
in the Windows Image pane and choose Add 
to Answer File. Then select the package in the 
Answer File pane and edit its settings in the 
Properties pane. 

To add a new package to your customized 
install, select Insert, Package(s). Then, navigate 
to the add-ons you'd like to install with Vista. 


At any step along the way, you can click 
the Validate Answer File button in the Image 
Manager toolbar to ensure that the resulting 
answer file will work. If Image Manager finds 
any errors, it tells you where to find the prob¬ 
lem. 

You can save a validated answer file to a 
disk. From Image Manager's File menu, select 
Save Answer File and save the file to disk under 


a name such as autounattend.xml. If you 
double-click the file in Windows Explorer, it 
will open in IE or your default XML editor. You 
can open and edit an answer file either through 
Image Manager or through the Windows shell 
by selecting Open With. 

To install Vista on only a few PCs, the sim¬ 
plest solution might be to create a bootable 
DVD by copying a Vista install DVD and add¬ 
ing an answer file to the root. Then, you can use 
the customized installation DVD to boot each 
PC. Vista should set up in about 30 minutes. 

WDS Deployments 

You should be at least somewhat familiar 
with previous-generation Windows deploy¬ 
ment tools, such as RIS, before moving up to 
the WAIK and WDS. To review how a typical 


enterprise might roll out XP desktops in a pre- 
Vista world, see the Web-exclusive sidebar 
"Deploying Windows with RIS," http://www 
.windowsitpro.com, InstantDoc I D 94191. 

WDS is RIS's replacement and is installed 
from the WAIK CD or through a download. 
After installing WDS, you'll no longer have 
access to RIS, although any RIS install images 
you previously configured will still be available 


via the Legacy Images section of the WDS UI. 
Like RIS, WDS requires an AD-based network 
running DNS and DHCP services, and the 
WDS server must have an NTFS partition on 
which to store install images. If you've already 
installed RIS and configured these items, the 
WDS install wizard will let you use the RIS 
settings. However, some users will install WDS 
"fresh," in which case they have to install (but 
not configure) RIS, install WDS, and then con¬ 
figure WDS during the install process. 

Because of the modular nature of Vista, 
WDS will install several installation images 
when you add the Vista install.wim file to the 
WDS image store. On a typical version of Vista, 
you'll likely see seven images, each represent¬ 
ing one of the available Vista product editions. 
These images will be installed into the WDS 
Install Images group, which is accessible from 
the WDS GUI. 

Using the tools and techniques described 
earlier, you can create custom install images 
with custom answer files, store them in WDS, 
then deploy them to clients. For the most part, 
WDS works similarly to RIS. When you boot 
a Preboot Execution Environment (PXE)- 
enabled computer on the network, it finds the 
WDS server, loads WinPE to boot from RAM, 
then processes the answer file, if one exists. 
Depending on how automated the install is, 
you might have to answer some interactive 
setup questions at the beginning of the process 
and specify a computer name at the end. 

Like RIS, WDS has its limitations. It doesn't 
support decent monitoring functionality, mak¬ 
ing it hard to gauge how well large-scale 
deployments have gone. For this reason, 
large enterprises will still want to rely on 
high-end deployment tools such as Microsoft 
Systems Management Server (SMS), whose 
useful deployment features include the abil- 



You should be at least somewhat familiar with 
previous-generation Windows deployment 
tools before moving up to the WAIK and WDS. 
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ity to install Vista and the Microsoft Office 
2007 System simultaneously using Zero Touch 
Installation technologies. Microsoft is also 
working on a set of Business Desktop Deploy¬ 
ment solution accelerators for Vista and Office 
2007 that will make rolling out these products 
in large environments easier. 

Migrating to Vista 

Traditionally, it's been best to install new Win¬ 
dows versions on new hardware for a couple of 
reasons. First, a new OS tends to introduce hard¬ 
ware and software incompatibilities, and sec¬ 
ond, the process of upgrading from one version 
of Windows to another has generally proven to 
be problematic. However, Vista's modular archi¬ 
tecture partially eliminates these problems. 

When you upgrade an XP PC to Vista, Win¬ 
dows Setup actually performs a clean install of 
Vista, then reinstalls applications and user set¬ 
tings to the upgraded system. The result is gen¬ 
erally a system that performs as before, but with 
the benefits of Vista. (With Win2K, upgrading 


isn't as easy. Win2K can't be upgraded in-place 
to Vista, so you'll need to back up all user docu¬ 
ments and data files from the Win2K system 
and copy them back to the PC after completing 
the upgrade.) Regardless of what Windows ver¬ 
sion is on your client PCs now, make sure those 
systems meet the minimum Vista requirements 
before attempting a migration. For a list of those 
requirements, go to http://www.winsupersite 
.com/reviews/winvista.asp. 

There are two ways to migrate to Vista. 
Small businesses and individuals can use the 
Windows Easy Transfer tool and an optional 
Easy Transfer Cable to move user accounts, 
files and folders, program settings, Internet 
settings and favorites, and email settings from 
an existing Windows PC to a new PC running 
Vista. Or, you can capture this information 
from a client PC, put it on a recordable DVD, 
network share, or removable hard disk drive, 
install Vista interactively or using any of the 
methods described above, and then use the 
Windows Easy Transfer tool again to copy 
everything back to Vista. 


Enterprises and large businesses need a 
more scalable approach. For them, the WAIK 
provides a new version of User State Migration 
Tool (USMT) to help migrate user files and set¬ 
tings during large Windows deployments. 

Final Thoughts 

Microsoft has bestowed Vista with major new 
versions of its software deployment tools. To 
those familiar with today's Windows deploy¬ 
ment tools, the new WAIK, WDS, and USMT 
will seem familiar, yet more powerful. Those 
who have never before deployed Windows 
can rejoice: Vista is simpler to deploy than any 
earlier version of Windows. 
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KEEP AN EYE ON 

Microsoft’s SPA utility 
helps you proactively 
manage your servers 

by Gil Kirkpatrick 


SERVER 



PROBLEM: 

How to better manage 
server performance. 

SOLUTION: 

Create a baseline of 
server performance by 
setting up SPA to collect 
data and generate reports, 
then have it notify you 
when performance levels 
begin to fall. 

WHAT YOU NEED: 

The most recent version 
of Windows Server 2003 
Performance Advisor 
(SPA); Windows Server 
2003. 

DIFFICULTY: 

•©ooo 


I n “Diagnose AD Performance Problems" 
(December 2006, InstantDoc ID 93949) , I set up 
a scenario to show how to use Windows Server 
2003 Performance Advisor (SPA) in a diagnostic 
capacity. I created a domain controller (DC), loaded 
it heavily using ADTEST, and ran SPA to analyze the 
DC's performance. Although SPA diagnosed the 
problem, using SPA in this way makes for a reactive 
approach to performance management. 

You can use SPA more proactively to collect and 
archive performance data regularly. Comparing a 
server's performance today with its performance a 
few months ago, you'll notice trends in performance, 
letting you take corrective action before problems 
affect your users. SPA provides two features that can 
help you collect, archive, and analyze performance 
data: scheduled data collection and centralized report 
generation. Let's look at how to set up SPA to collect 
data from multiple servers, generate the reports on 
a centralized reporting server, and notify you when 
performance levels drop. 


Use SPA’s Data and 
Report Roles 

SPA relies on the Event Tracing for Windows (ETW) 
and performance counter subsystems for collecting 
performance data. These subsystems are quite effi¬ 
cient: Usually the only performance impact caused 
by running a collection is the cost of the I/O as SPA 
writes the raw data to hard disk, and you can easily 
avoid this performance hit by putting the raw data on 
a relatively unused disk. 

However, analyzing the performance data and 
producing a report can be a very CPU-intensive task. 


In fact, if you check Performance Monitor while SPA 
is producing a report, you'll likely see that the CPU is 
pegged at 100 percent for a good portion of the pro¬ 
cess—clearly not an effect you want to deal with on a 
loaded production server. 

You don't have to, however, because SPA divides 
the job of producing performance reports into two 
roles. The Data role collects raw performance data 
and stores it in files, and the Report role crunches 
the data, analyzes the results, and produces a for¬ 
matted report. By default, the installer configures 
SPA to perform both roles on the same machine. 

However, I recommend you configure SPA to 
perform only the Data role on your production 
servers and copy the raw data to a central report¬ 
ing server where you've also installed SPA, and 
where it can perform the Report role. This approach 
gives you scheduled, low-impact data collection on 
your production servers and offloads the number 
crunching to a dedicated server. 

Step 1 ! Configure the 

Central Reporting Server 

To periodically generate SPA reports from multiple 
servers, first set up the central reporting server. This 
server can be a dedicated Windows server or one 
that's otherwise lightly loaded. Install SPA on the 
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Figure 1: 


Configuring central reporting 
server’s local computer properties 
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server, following the instructions in "Diagnose AD 
Performance Problems" Then open SPA's Scope Tree 
view, right-click the Local Computer entry at the top, 
and select Properties from the context menu. Set the 
Role parameter to Report, and make sure that the 
AutoScan parameter is set to True, as Figure 1 shows. 

Also note the path to the Transfer folder (C:\Perf- 
Logs\Transfer in Figure 1), and create a share for that 
folder. The Data servers will copy raw performance 
data to this share, so set the access rights on the share 
to allow reading and writing by the Data servers. 


I Configure the 
Data Collection Server(s) 

After you set up the central reporting server, install 
SPA on the servers you want to collect data from. 
Open SPA ; s Scope Tree view on each server, right- 
click the Local Computer entry, and select Properties 
from the context menu. Set the Role parameter to 



Data, and set the path for the Transfer directory to 
the share you created on the central reporting server. 
SPA will collect the performance data locally and 
automatically copy the raw data files to the report¬ 
ing server. 

Step 3: 

Set Up a Schedule 

For each data collector group you want to run on the 
Data server, create a schedule. Open the Properties 
page for the data collector group and click the Schedule 
tab. Click the Change button to edit the schedule, then 
the New button to add a new schedule entry, which 
Figure 2 shows. Edit the fields to create one or more 
schedule entries. 

The data collector groups you configured will 
run automatically according to the schedules you 
defined. When they finish collecting data, they copy 
the raw data to the shared Transfer directory on the 




ITIONS 

HOT 


SOLUTION STEPS: 

1. Configure the Central 
Reporting Server. 

2. Configure the Data 
Collection Servers. 


3. Set Up a Schedule. 

4. Add Email Notification. 


5. Tune Performance 
Warning Rules. 
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reporting server. The reporting server detects 
the new data files and automatically creates the 
appropriate reports. 

Make sure that you enable the same data 
collector groups on the reporting server that you 
enabled on the data servers. If you don't, SPA on 
the reporting server won't detect the incoming 
files in the Transfer directory and won't create a 


report for that data collector group. 

Step. 4 Z Add Email 
Notification 

Now you've set up SPA to automatically produce 
periodic performance reports for your DCs and 
other critical servers. But you still have to look at 


the reports occasionally to make sure your systems 
are running well. Readingthe reports isn't difficult, 
but it's yet another task to add to your ever-growing 
task list. To save yourself some time and trouble, 
you can configure SPA to generate email notifica¬ 
tions whenever it detects performance warnings 
during the report-generation process. 

Run the SPA client on the reporting server. 
From the Edit menu, select Rules. Scroll down 
to the Global - Notification Control section 
near the bottom and check that Warning Noti¬ 
fication is enabled and that the expression is 
set to >0 as Figure 3 shows. SPA evaluates the 
Warning Notification expression after generat¬ 
ing a report, and if the expression evaluates to 
true, SPA will invoke the notification procedure 
defined for the Collector Group. I recommend 
that you initially set the expression to > 0 so 
that SPA will generate a notification whenever 
there is a warning condition. If you get too 
many notifications during normal operation, 
you should either fix the performance problem 
or adjust the thresholds for the performance 
conditions that generate the warnings, as I 
describe in the next section. 

In the Scope Tree, open the Properties page 
for Local Computer and set the Mail From 
value to the name you want to appear in the 
From field of the notification email message. 
Set the SMTP Server entry to the host name 
or IP address of your mail server. Note that the 
account that SPA uses to generate the reports 
(by default, LocalSystem on the 
server SPA is running on) must 
have appropriate access to the 
specified SMTP server. 

Finally, to generate notifica¬ 
tions for each data collector group 
you want to track, open the Prop¬ 
erties page and find the Messaging 
parameter in the Miscellaneous 
section of the dialog box. Figure 4 
shows the box where you edit the 
messaging parameters. Click the 
Add button to add a new email- 
notification entry, and enter your 
email address (orthe email address 
of the person you want SPA to 
notify) in the Recipient field. Now, 
whenever SPA detects a warning 
condition in a performance report, 
it will send an email message with 
the appropriate information to the 
email address set in the Recipient 
field. 
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StGp 5. Tune 

Performance Warning 
Rules 

You might find that SPA generates too 
many warnings, and consequently, too 
many emails. Instead of simply setting the 
warning threshold higher, and possibly 
missing an important performance prob¬ 
lem, you should tune the warning rules 
that SPA uses to generate warnings. 

The default rules that SPA provides 
are well thought out, so if your DC rou¬ 
tinely generates performance warnings, 
you should probably fix the DC ; s perfor¬ 
mance problem. But if you determine 
that your DC's performance is adequate 
despite the performance warnings, you 
can tune SPA's performance rules to 
reduce the number of warnings SPA 
generates. 

Run the SPA client on the report¬ 
ing server, and from the Edit menu, select 
Rules. You'll see SPA's performance rules listed, 



Figure 5: Default performance warning rules 


which Figure 5 shows. You can tune the thresh¬ 
olds defined for each rule, or disable the rule 
entirely. To disable a warning rule, clear the 


check box next to the warning. For instance, if 
you have an application that generates LDAP 
referrals and you don't intend to change the 



VfoiwITJto 

HEADERS 

CHOICE 

2Q0G 


lftinrTfa 

HEADERS 

CHOICE 

20QG 


AUTOMATED EVENT LOG MONITORING & CONSOLIDATION, 

ENVIRONMENT AND NETWORK MONITORING. IN ONE AFFORDABLE PRODUCT. 


Fully loaded 30-day trial. Visit www.eventsentry.com or call 1-877-638-4587. 

© Copyright 2006 NETIKUS.NET ltd. All Rights Reserved. EventSentry IS S TSgiSTSrsa trademark BTFJF1 IKUS.Nb I ltd in TO Uhited States and/or other countries. 


SENTRY 


How are you monitoring 

your servers and workstations? 


a 


Performance Monitoring 
Software/Hardware Invei 
Diskspace Monitoring 
Service Monitoring 


iring 

Inventory 


www.windowsitpro.com 



Connecting the IT Community 


Windows IT Pro JANUARY 2007 


31 


































































© Server Performance 



application, you can dis¬ 
able the Directory Search 
- Search Referrals Are Occur¬ 
ring rule simply by clearing 
its check box. 

But generally speak¬ 
ing, you'll want to tune the 
rule instead of disabling it 
entirely. For example, if you 
have an application that 
uses AD heavily, and you 
don't care that the applica¬ 
tion uses a lot of CPU on 
the DC, you can change the 
Directory Search - Search 
Client Using Too Much CPU 
rule. Expand the rule defi¬ 
nition by clicking the plus 
sign next to the rule name 
to display the rule thresh¬ 
olds, which Figure 6 shows. 
To change the rule, select 
the appropriate relational 
operator, enter the thresh¬ 
old value you want, and 


click Apply to save. The next time SPA gener¬ 
ates a performance report, it will generate 
warnings based on your modified rules. 


Stay Ahead of the 
Performance Curve 

SPA is a fantastic tool for diagnosing perfor¬ 
mance problems and for performance base¬ 
lining. Instead of just capturing performance 
counter data, SPA actually characterizes the load 
being placed on the server. By setting up SPA on 
all your mission-critical servers and configuring 
it to automatically collect data and generate per¬ 
formance reports, you can build a performance 
baseline that will keep your servers ahead of the 
performance curve. ^ 
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Running LEGACY 

APPLICATIONS 

as a Least-Privileged 

USER 
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Running legacy 
applications while logged 
on as a least-privileged 
user 

With tools found in the 
Windows Application 
Compatibility Toolkit 
(ACT), you can configure 
an application that 
requires write operations 
to protected areas of the 
file system or registry to 
redirect those operations 
to the user’s profile. 


WHAT YOU NEED: 


Windows XP, ACT 4.1, a 
sample application (e.g., 
Maxthon) 


DIFFICULTY: 

••©oo 


by Russell Smith 

A nyone who has ever tried to manage Win¬ 
dows XP desktops in an enterprise envi¬ 
ronment in which Least-Privileged User 
Accounts (LUAs) are deployed knows what a chal¬ 
lenge it can be. I'm not going to discuss the benefits 
of running your desktops as limited accounts, but I'll 
show you a useful technique for overcoming prob¬ 
lems related to limited access and legacy application 
compatibility. 


LUA and Compatibility 
Problems 

Legacy applications (and sometimes even new appli¬ 
cations) that fail to run under the security model 
for a least-privileged user can be a huge headache 
for IT administrators. Often such programs require 
access to areas of the file system and registry that 
least-privileged users aren't permitted to modify, 
causing applications to lose certain functionality or 
not work at all. 

Users have several methods they can use to run 
legacy applications when logged on as a LUA (e.g., 
the Runas command). Many are workarounds that 
require the user to take some additional action or that 
introduce authentication problems when connecting 
to networked resources, and are rarely accepted by 
users. However, you might consider using the follow¬ 
ing options, which are transparent to the end user: 

• Changing the ACL on the affected files, folders or 
registry keys 

• Modify the user's security token only for the 
affected application 


Use this toolkit to 


• Use the Application Compatibility Engine to redi¬ 
rect file system or registry writes 

The most commonly used method for running 
legacy applications as a least-privileged user is to 
modify ACLs on registry keys and files or folders 
that an application needs to access to be able to run 
successfully. There are two main drawbacks to this 
method. First, you need to identify the registry keys, 
files, and folders that are causing the problem. Even 
using file and registry access tools, this can be a time 
consuming job. Second, after you modify the neces¬ 
sary ACL, you potentially leave once-protected areas 
of the system open to change, which could cause 
the application to stop working at some point in the 
future. One case in point is if you need to give users 
modify access to a particular application directory. 

Third-party solutions (such as Winternals Soft¬ 
ware's Protection Manager and BeyondTrust's Privi¬ 
lege Manager) can provide the ability to modify the 
user's security token on the fly. When a user launches 
an application, the token is given administrator 
privilege to run only that particular process. This is 
completely transparent to the user. The main disad¬ 
vantage of using this method is the cost. 

XP has a built-in solution for dealing with LUA 
compatibility problems—the Application Compat¬ 
ibility Engine. Using it in conjunction with the Appli¬ 
cation Compatibility Toolkit (ACT), you can analyze 
an application and configure XP to automatically 
redirect writes in protected areas of the file system 
and registry to the user's profile. 


Configuring Application Fixes 

Let's look at a sample legacy application and how to 
use ACT to make the application run correctly under 
a LUA account. The example is simple for the purpose 
of illustrating the process. You can use ACT to solve 
more complex problems, but the basic steps remain 
the same. 

The application we'll use is Maxthon 1.5, which 
is a replacement shell for Microsoft Internet Explorer 
(IE) 6.0 and IE 5.5 that has tabbed browsing, RSS, an 
ad blocker, and other useful features that make Web 


Windows IT Pro JANUARY 2007 


Connecting the IT Community 


www.windowsitpro.com 











Solutions© 


help reduce compatibility problems 



browsing a more pleasant experience. Maxthon is 
available as a free download at http://www.maxthon 
.com. If you run this application as a LUA user, any 
preferences or options that you configure are lost 
when you close it because Maxthon saves prefer¬ 
ences in a folder under Program Files, for which a 
least-privileged user doesn't have Write permission. 
Maxthon isn't aware of multiple users. 

After you download ACT, which you can do 
at http://www.microsoft.com/downloads/details 
.aspx?FamilyID=4005DA79-933A-4CC8-BF86-FE2E2 


8B792FD&displaylang= 
en&Flash=V3N34CF, log 
on to Windows as an 
administrator and install 
ACT. Then install Max¬ 
thon, but clear the option 
for running the program 
before you click Finish. 
You want to find out 
where Maxthon saves all 
its preferences, so you'll 
need to let ACT analyze 
the application the first 
time that you run it. 

Although we're looking 
for a solution to run Max¬ 
thon under LUA, we need 
to run ACT and analyze 
Maxthon while logged on 
as an administrator. To do so, perform these steps: 

1. Launch the Compatibility Administrator pro¬ 
gram by opening All Programs, Microsoft Application 
Compatibility Toolkit 4.1, then clicking Tools. 

2. Under Custom Databases, you'll see New 
Database. Right-click it and rename it to Maxthon, as 
Figure 1 shows. 

3. Right-click the database again and select Cre¬ 
ate New, Application Fix. In the Program information 
dialog box, enter the name of the application, the 
vendor, and the path to the executable, which in this 

case is C:\Program Files\Maxthon\Maxthon.exe. 
Click Next. 

4. Next, you'll see the Compatibility Modes 
screen, which is where you can choose to solve 
a LUA problem. For OS mode, select None, then 
select LUA from the list on the right, as Figure 2 
shows. Click Next. 

5. In the Compatibility Fixes screen, scroll 
through the list of fixes. Make sure that LUARe- 
directFS and LUARedirectReg are selected and 
click Next. 

6. The Matching Information screen lets you 
modify the criteria that the Application Com¬ 
patibility Engine uses to identify the Maxthon 
executable. Accept the default values and click 
Next. 




rapjTioNs 

ImPSHOT 


SOLUTION STEPS: 


1. Create an application 
compatibility 
database. 

2. Customize an 
application fix. 



3. Install the database. 


Figure 2: Creating a new application fix 


7. Make sure that Yes, customize these fixes 
now is selected and click Finish. 
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® Running as a Least-Privileged User 


Manthon Options 


*1 


ij2 General 
^ Start Page 
* Favorites 
I^J Address Bar 
y' Search 
% Tab 
H Popups 
Downlead 
bJ Save 
l_5 AD Hunter 
RSS Feed 
Mouse Action 
Keyboard 
Proxy 
^ Skin 
*J Plugin 
fffc] External Tool 
Advanced 


General j When Starting | When Closing ] 


F jAllow only one instance of MaxthoH 
F Display animation icon 
F Enable boss key 
F Show tray icon 

F Minimize to system tray 
F Close to system tray 

Show all web pages in predefine zoom factor: 


ALTh 


ffoo V| 


F Disable script error 
F Use flat browser scroll bar( x ) 

F Ignore window ID assignment in frames ( K ) 
F Lock home page 

F Add Maxthon User-agent identification^) 


log on as an administrator and type the follow¬ 
ing command: 

sdbinst -u c:\maxthon.sdb 

When you restart Maxthon as a least-privileged 
user, you'll find that without the compatibility 
database installed, the application doesn't 
retain the options you set. 


Going Forward 

ACT can provide quick and easy solutions to 
many LUA problems that occur with legacy 
applications. The user will be unaware of the 
problem and can run the application with¬ 
out the need for any manual workarounds. 


^ Customize Limited User Account Settings 


L_= 

Edit the File Redirection List 

Figure 3: 

Configuring application settings 

Select the files you wish to have redirected. 


Customizing the 
Application Fix 

We now want to let ACT analyze Maxthon as it 
runs to detect when it writes to protected areas 
of the OS and automatically customize the 
fix as necessary. When you click Finish in 
the previous step, a page opens that gives 
you the option to monitor the program. Run 
program to collect data will be the only option 
available. Click Next. The path to the Maxthon 
executable will already be entered, so sim¬ 
ply click OK. ACT will automatically launch 
Maxthon. 

1. As Maxthon runs for the first time, follow 
the Configuration Wizard prompts, then select 
Options, Maxthon Options. 

2. Go to the General tab to see the available 
options, which Figure 3 shows. Select the Allow 
only one instance of Maxthon option, then click 
OK. 

3. Close Maxthon and select Don't show me 
the message again in the Exit Maxthon dialog 
box. Click OK. 

Maxthon will then close and you'll be returned 
to the ACT Exclude File Extensions screen. 
For this example, we don't want to exclude 
anything, so make sure that no file extensions 
are listed and click Next. In the Edit the File 
Redirection List, which Figure 4 shows, you'll 
see that ACT has identified all instances of 
writes to protected files. Select all of them 
and click Next. ACT will display a summary 


File/Dir 


of the redirects in the 
Redirection Location 
screen. Click Finish. 


Installing 
an Applica¬ 
tion Com¬ 
patibility 
Database 

From the main Com¬ 
patibility Administra¬ 
tor window, save the 
Maxthon database as 
c:\maxthon.sdb. Then 
install the database by 
opening a command 
line and typing 

sdbinst c:\maxthon.sdb 


After installing the database, log on as a LUA 
and clear the Allow only one instance of Max¬ 
thon check box under Maxthon Options. Close 
and restart Maxthon. Check the options to 
make sure that the application has remem¬ 
bered the setting. You'll see that the redirected 
configuration files are now stored in the hidden 
Application Data folder in the least-privileged 
user's profile. 

Next, uninstall the compatibility database 
to see how Maxthon behaves when the data¬ 
base isn't installed. To uninstall the database, 


Check the items in the list that you wish to redirect. Use Copy to redirect additional files. 
Click on the 2nd column to change the redirection mode. 

Files and folders to redirect: 


Redirect To 


0 %APPPATH%\Config\setupcenter.ini 

Per-User 

0 ^APPPATH^\Config\setupcenter.ini.tmp 

Per-User 

0 %APPPATH%\Config\Dynamic.ini 

Per-User 

FI «,PPPAT H %\Conf ig\dynamic. ini. tmp 

Per-User 

FI %APPPATH%\Config\temp.htm 

Per-User 

FI %APPPATH%\Config\config.ini 

Per-User 

0 %APPPATH%\Config\config.ini.tmp 

Per-User 

0 %APPPATH%\Language\English\start.htm 

Per-User 


F Show un-tokenized entries 

T | -T | 

Copy 




< Back | Newt > | 

Cancel 



Figure 4: 

Redirecting application files 


Administrators can simplify the process even 
more by using Group Policy to deploy com¬ 
patibility databases. In Windows Vista's User 
Account Control (UAC) Microsoft has further 
developed the redirection feature to automati¬ 
cally redirect writes to a virtualized space for 
each user without the need to run ACT. This 
functionality will help even home users run as 
least-privileged users. ^ 
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Blocking Web Sites 


Scripts import blacklisted 
domains into ISA for 
inexpensive content filtering 


SOLUTIONS 

SNAPSHOT 


PROBLEM: 

You need to block access 
to thousands of unwanted 
Web sites without 
spending a lot of money. 


SOLUTION: 

If you’re already running 
ISA Server 2004 or 
2006, you can use an 
inexpensive blacklist 
service and a couple of 
scripts to prevent access 
to inappropriate Web sites. 


WHAT YOU NEED: 

ISA Server 2004 
or 2006, blacklist 
service subscription, 
ImportBlacklist.vbs and 
Scheduledllpdate.bat 
scripts 
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by Jason Fossen 

C ontent-filtering products such as those from 
Websense and SurfControl are wonderful 
for regulating your users' access to unde¬ 
sirable Web sites, but they aren't cheap. If you have 
Microsoft ISA Server 2004 or ISA Server 2006, you 
can use it and a blacklisting service to block access 
to off-limits sites. 

Blacklisting services maintain lists of Web sites 
that contain pornography, hate speech, violence, 
hacking tools, or other prohibited content. You can 
subscribe to an inexpensive blacklisting service and 
import its list (typically updated each week) into ISA 
Server with a script. In fact, I've included a free script 
for doing this with this article. This might sound com¬ 
plicated, but don't worry, it's not hard to do. Let's walk 
through the steps together. 

Step 1: Use ISA Server 

Of course, you must have ISA Server 2004 or 2006, 
and your users' Web browsers must be configured 
to go through it for HTTP access to the Internet. This 
article assumes you've already got this set up, but if 
you don't, you can download a trial version of ISA 
Server from http://www.microsoft.com/isaserver. If 
you have Microsoft Windows Small Business Server 
(SBS) 2003 Premium Edition Service Pack 1 (SP1) or 
SBS 2003 Premium Release 2 (R2), it includes ISA 
Server 2004. 

Step 2: Create a 
Domain Name Set 

In ISA Server, you can use firewall policy rules to grant 
or deny access to a domain name set— that is, a list of 
DNS domains. The list can include a mixture of fully 
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qualified domain names (e.g., www.windowsitpro 
.com) and domains with wildcards (e.g., *.microsoft 
.com). We need to create a domain name set to hold 
the hundreds of thousands of domains we wish to 
block. Let's call it Bad-Sites. 

To create the Bad-Sites domain name set, open 
the Microsoft Management Console (MMC) ISA 
Server Management snap-in, expand the container 
list under your ISA Server, and click the Firewall Policy 
container to highlight it. Next, right-click the Firewall 
Policy container, select View, and select Task Pane (if 
it's not already selected). The task pane will appear 
on the right. In the task pane, click the Toolbox tab, 
then click the Network Objects category. Right-click 
Domain Name Sets and select New Domain Name 
Set. Enter the name Bad-Sites and click OK. At the 
top of the console window, click Apply to save the 
changes. Figure 1 shows the Bad-Sites domain name 
set on the Toolbox tab. The Bad-Sites list is currently 
empty, but we'll fill it with blacklisted domains in a 
moment. 


Step 3: Create a 

Blocking Rule 

Once you have your Bad-Sites list of unwanted 
domains, you'll block access to those sites with a rule 
in the firewall policy. This rule will come just before 
the rule that otherwise allows Internet access, which 
I'll assume already exists. 

To create the rule that blocks requests to Bad-Sites, 
click the rule in your firewall policy that permits your 
users Internet access. Next, right-click the Firewall 
Policy container in the ISA Server Management 
console, select New, Access Rule, name the rule Site_ 
Blocker, click Next, select Deny, click Next, accept the 
default for the rule to apply to all outbound traffic, and 
click Next. Click Add and add the Internal Network to 
the list of sources (expand the Networks folder to see 
the Internal Network object), click Next. Click Add and 
add the Bad-Sites domain name set for the destination 
(expand the Domain Name Sets folder to see the Bad- 
Sites object), click Next. Accept the default All Users 
option, click Next, and click Finish. 

Right-click your new Site_Blocker rule to move it 
up or down, if necessary, to place it just above your 
rule that allows users Internet access. Click Apply 
at the top of the console to save your changes. You 
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in ISA Server 


can see the completed Site_Blocker rule in Figure 1, 
including the Bad-Sites set in the To column. 

See “More Web Filtering,” page_41, for guidance 
on blocking certain file types and using other ISA 
Server content-filtering features. 

Step 4: 

Download a Blacklist 

You now have a rule named Site_Blocker that pre¬ 
vents access to domains in the currently empty 
Bad-Sites list. This list must now be filled with the 
hundreds of thousands of domains that have undesir¬ 
able content, and it must be updated at least weekly. 
But where can you get this information in a usable 
form? And how can you load it into your list? 

Fortunately, free and inexpensive sources of 
blacklists are available on the Internet that can be 
imported into your Bad-Sites list. Perhaps the best- 
known free blacklists are for the squidGuard (http:// 
www.squidguard.org/blacklist) and DansGuardian 

(http://www.dansguardian.org) UNIX/Linux filters, 
but these blacklists work just fine with ISA Server 
too. 

I prefer the inexpensive blacklist service at http:// 
www.urlblacklist.com. As of this writing, a business 
can download an updated blacklist once per week for 


less than $190 a year with no per-user limits. Schools 
and individuals pay less. Because URLBlacklist.com 
is a commercial rather than free service, its blacklists 
are managed better and the service is more likely to 
still exist a year from now. You can download a small 
demo blacklist for free to try out the service. 

When you download one of these blacklists, it 
will most likely be in a GNU zip (gzip)-compressed 
.tar file—that is, a file that ends with the .tar.gz exten¬ 
sion. You can use graphical programs such as WinZip 
(http://www.winzip.com) to extract your blacklist text 
files, or you can get Windows versions of gunzip.exe 
and tar.exe for free fro m http://unxutils.sourceforge.net 
(notice that unxutils has only one i) or in the free Micro¬ 
soft Windows Services for Unix (SFU) at http://www 
.microsoft.com/technet/interopmigration/unix/sfri. 

To use gunzip.exe and tar.exe with the bigblacklist 
.tar.gz file downloaded from http://www.urlblacklist 
.com, move bigblacklist.tar.gz into a new folder and 
execute the following commands in a GMU shell to 

extract the blacklist files: 

gunzip.exe bigblacklist.tar.gz 
tar.exe -xf bigblacklist.tar 

These commands will create a new folder that 
contains all the blacklist files. The files are placed 
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2. Create a domain 
name set. 
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into subfolders named after their contents. 
For example, one of these subfolders will be 
named porn , and in the porn folder you'll find 
a large text file named domains. 

We'll use a script to import the porn\ 
domains text file into our blocked Bad-Sites 
list. Then, we'll use another script to automate 
downloading blacklist updates and importing 
them into Bad-Sites. 

Step 5l Import 

Blacklist into Bad-Sites 

Download the script named ImportBlacklist 
.vbs by going to http://www.windowsitpro 
.com, entering 94079 in the InstantDoc ID text 
box, and clicking the 94079.zip link. Unzip 
the downloaded file and copy the two files it 
contains to your ISA Server's hard drive. (I'll 
explain the other file, ScheduledUpdate.bat, 
in a moment.) 

The ImportBlacklist.vbs script imports a text 
file of domain names into a domain name set 
on ISA Server 2004 or 2006, either the Standard 
or Enterprise edition. Copy the porn\domains 
blacklist file to the folder on your ISA Server 
system that contains the ImportBlacklist.vbs 
script, then run the following command in a 


CMD shell (type the command all on one line) 
to fill your Bad-Sites list: 

cscript.exe ImportBlacklist.vbs 
Bad-Sites domains 

To import domains from multiple files, 
merge them all together into one large file. For 
example, to append one file (domains 1) to the 
end of another file (domains2), use the Type 
command as follows: 

type domainsl » domains2 

Alternatively, you could create multiple Bad- 
Sites sets, one for each file to be imported, and 
add all these Bad-Sites sets to the destination 
in the Site_Blocker rule. 

By default, the script deletes the contents of 
the domain name set first, then imports from 
the text file, so it's better to do your list manage¬ 
ment in the text file than in the domain name 
set itself. When the script finishes, refresh your 
ISA Server Management console to see the 
new contents of the Bad-Sites list (or close and 
reopen the console, which is often faster). 

That's it! Now, when a user requests a 
file from a blocked domain, the user will get 


an error page instead. As long as the HTTP 
request is routed through ISA Server, this 

Schedule 
the blacklist 
updates for off- 
peak hours, and 
run the Import- 
Blacklist.vbs 
script with the 
\belownormal 
option. 


domain blocking works even when the user's 
browser isn't configured as a Web proxy cli¬ 
ent. (But it's better to configure all browsers as 
proxy clients.) And the performance penalty 
of ongoing domain blocking is relatively small 
because it's not regular expression pattern 
matching, it's just simple string comparisons 
against the user's requested URL. Very slick. 

Step 6: 

Schedule Updates 

Manually downloading blacklist updates and 
importing them into ISA Server is easy enough, 
but it can be tedious. Fortunately, it can be 
scripted. A scheduled batch script that uses a 
free Windows version ofwgetexe (http://www 
.gnu.org/software/wget) can download the 
latest version of your favorite blacklist every 
week or night, then run gunzip.exe, tar.exe, and 
ImportBlacklist.vbs to update your ISA Server 
system hands-free. 

Listing 1 shows a simple batch script named 
ScheduledUpdate.bat that performs these 
tasks. The script downloads a small demo 
blacklist from URLBlacklist.com and imports 
its porn list into an ISA Server domain name set 
named Bad-Sites using the ImportBlacklist.vbs 
script. In real life, you'll need to edit this script 
to download the full blacklist for which you've 
paid and to perform error-checking, logging, 
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Improving the Intelligence of Your 
Gateway Security 


If you're looking to build a comprehensive SSL secured access 
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information systems, check out Microsoft's Learning Paths 
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guidance on edge solutions including Microsoft Internet Securil 
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Application Gateway. 
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Learning Paths for Security 

Critical Security Information for IT Professionals 


Learning Paths for Security is an online security 
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thing to how to solve today's security issues. Information 
is arranged by topic, technical depth (Level 100 
through 400), and stage of the security lifecycle, 
so it's easy to find the information applicable to your 
specific situation and level of knowledge. 



GUIDES 

Download and print these white papers, 
resource kits, and articles to read and save 
for reference. 

WEBCASTS 

From Q&A sessions with experts on 
Microsoft® technology, the industry or 
both; to technical and product demos, 
these 60-90 minute broadcasts are avail¬ 
able online so you can watch at any time, 
from any place. 


ONLINE SEMINARS 

These compilations of materials from a live 
event (including presentations, videos, and 
tools) are a quick way to get up-to-date on 
a topic of interest. 

VIRTUAL AND 
HANDS-ON LABS 

Test Microsoft software and servers in a 
sandbox environment. 


TOOLS 

Download free applications or software 
programs to help accomplish specific tasks 
you need to complete. 




Learning Paths for Security can be found at: 


www. m icrosof t .co m/tech net/secu rity/lea r n i n g 
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More Web Filtering 


□ REQUIREDREADING 


I SA Server has Web filtering features other 
than the ability to block a list of sites that 
you might find useful. To experiment with 
these features, follow the same procedure 
as in Step 3 in the main article to create 
another blocking rule, but this time, name it 
File_Blocker and set the destination to the 
external network instead of to Bad-Sites. 
Move the File_Blocker rule to sit just above the 
Site_Blocker rule in the firewall policy. 

Right-click your File_Blocker rule, select 
Properties, then go to the Content Types tab. 
By default, the rule applies to all content types, 
hence, the rule is now preventing all file down¬ 
loads from the Web, which isn’t what we want. 
Instead, choose the Selected content types 
option and select only the Audio and Video 
check boxes, as Figure A shows. Now ISA Server 
will prevent your users from downloading any 
audio or video files from the Web via HTTP, 
which could save you a lot of bandwidth. 

ISA Server determines a file’s type by 
using its filename extension (e.g., .mp3) and 
MIME description (e.g., audio/mpeg). You 
can highlight a file type on the tab in Figure 
A and click Details to see the list of filename 
extensions and MIME descriptors that make 
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Figure A: Choosing which file types to block 


up that content type. You can also create 
your own custom content type by clicking 
New. 

Note, however, that specifying file types on 
a rule’s Content Types tab causes that rule to 


apply only to HTTP 
traffic. This is true 
even if the Proto¬ 
cols tab says that 
the rule applies to all 
traffic. If you want 
to block protocols 
other than HTTP, 
you’ll have to cre¬ 
ate additional rules, 
but even if you do, 
you won’t be able to 
block file downloads 
by filename exten¬ 
sion or MIME type Figure B: 

access 

for those non-HTTP 
protocols—this fea¬ 
ture is only for HTTP. Moreover, unless you pur¬ 
chase a third-party extension such as Collective 
Software’s ClearTunnel, you won’t be able to 
limit HTTP Secure (HTTPS) traffic because the 
channel is encrypted. 

Next, go to the Action tab. On this tab 
(which Figure B shows), you can enter the 
URL for an internal Web server that hosts a 
custom Denied Access page that contains 
your official acceptable use policy. If you don’t 
enter a URL, denied HTTP requests will get a 
generic-looking error page. You could config¬ 
ure both your File_Blocker and Site_Blocker 
rules to show your custom page when access 
is denied. 

Finally, to do even more advanced HTTP 
filtering, open the Properties dialog box of 
the rule that allows Internet access (not the 
blocking rules), go to the Protocols tab, click 
Filtering, and select Configure HTTP. You’ll 
see a set of tabs for doing application-layer fil¬ 
tering of HTTP. I can’t discuss all the available 
HTTP filtering options in this article, but as an 
example of what’s possible, go to the Exten¬ 
sions tab, select Block specified extensions, 
and add .wmf to the list. This is an alternative 
to using the Content Types tab for block¬ 
ing unwanted file types. In this case, you’re 
blocking the image file type associated with 
the nasty graphics rendering engine vulner¬ 
ability published in January 2006 (Microsoft 
Security Bulletin MS06-00I—Vulnerability 
in Graphics Rendering Engine Could Allow 
Remote Code Execution). Click OK and Apply 
to save your changes. 

InstantDoc ID 94077 
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Specifying the URL for a custom 
access-denied page 


and/or administra¬ 
tor notification. Use 
the Scheduled Tasks 
applet in Control 
Panel to schedule the 
script. 

Updating your 
blacklist is important 
because new bad sites 
are found every week. 
Scheduling this work 
is important because 
of the time it takes to 
import very large lists. 
On a server with a sin¬ 
gle 2.2GHz Pentium 4 
CPU, for example, it 
takes less than 10 minutes to import 100,000 
domains from a blacklist file, but that same 
machine requires three hours to import 500,000 
domains. And during the import process, the 
CPU will be pegged at 100 percent. So, sched¬ 
ule the blacklist updates for off-peak hours, 
and run the ImportBlacklistvbs script with the 
\belownormal option (as the last line of Listing 
1 shows) to use a lower multitasking priority. 
Other ISA Server processes will have an easier 
time getting CPU cycles. 

Note that you'll have to allow ISA Server 
HTTP access to the Internet for the batch 
script to run. Following the procedure in Step 
3, create a rule that gives ISA Server access 
only to the blacklist download site. Set the 
source network to Local Host and the destina¬ 
tion URL to the location of the blacklist to be 
downloaded. 

Importing blacklists for domain blocking is 
just one example of ISA Server's scriptability. 
You can find lots of other scripts at sites such as 
http://www.isatools.org, http://www.isaserver 
.bm, and http://www.isascripts.org (my site), 
and Microsoft has an ISA Server software devel¬ 
opment kit (SDK) if you want to write your own. 
Using blacklists and scripts as we've done here 
won't be as scalable or full-featured as using 
a commercial content filter, but if you're on a 
budget, it might be good enough. ^ 
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Tricks & Traps - Ask the Experts 


Q: We're concerned about 
the security of data on mobile 
devices if those devices are 
lost. We have more and 
more employees using smart 
phones and other mobile 
devices that have copies of our 
users' mailboxes as well as 
whatever company data (e.g. ; 
customer lists) that they copy 
to their devices. What can we 
do to protect that data? 


to reconfigure all my phone settings. 
The key to making remote wipe work 
to mitigate risk is to train users to 
notify the Help desk immediately if 
their phone is lost or stolen. 

InstantDoc I D 94292 
—Randy Franklin Smith 

Q: When I attempt to use the ADSI 
Edit tool to delete an object; I receive 
an error message that the object 
doesn't exist. Do you know what's 
causing the problem? 



A: You're right to be con¬ 
cerned; not only about the infor¬ 
mation on the devices but the 
passwords as well, because most of 
your users probably have configured 
their devices to save their password 
for synchronizing with Microsoft 
Exchange Server. That Active Direc¬ 
tory (AD) username and password 
is often also their main account for 
accessing the rest of the Windows 
network. Windows Mobile protection 
of saved passwords has come under 
fire for being easy to break. Therefore, 
loss of a device could potentially 
result in that user's entire account 
being compromised, including all 
applications that depend on AD for 
authentication. 

Asking users to configure mobile 
devices with a PIN is likely to meet 
with little compliance because of the 
inconvenience, especially because 
some poorly designed Windows 
mobile phone devices require you 
to enter the PIN just to answer an 
incoming call. 

To reduce the risks associated 
with mobile devices, you should 
consider implementing the Windows 
Mobile 5.0 Mobility and Security Fea¬ 
ture Pack and insist that all devices 
on your fleet either run Windows 
Mobile 2005 or fully support the cli¬ 


ent-side features of the Mobility and 
Security Feature Pack. In addition 
to the Mobility and Security Feature 
Pack's DirectPush technology that 
enables mobile devices to immedi¬ 
ately receive new email messages 
and other mailbox updates as they 
occur, it introduces two crucial fea¬ 
tures for secure management of your 
mobile device fleet. Mobility and 
Security Feature Pack allows you to 
remotely wipe devices that are lost or 
stolen and also lets you set a policy 
that enforces the use of PINs. If a user 
reports a lost or stolen device, you 
simply log on to the administration 
Web page of the Mobility and Secu¬ 
rity Feature Pack on your Exchange 
server and issue a remote wipe com¬ 
mand for that device. If the radio in 
the device is turned on, it will imme¬ 
diately wipe the device's memory 
and report back to the Exchange 
server so that you get positive con¬ 
firmation. Otherwise, as soon as the 
device is turned on, the device will 
see the wipe request when it tries to 
connect to Exchange. 

I recently left my Palm Treo 700w 
in a cab and immediately logged on 
to Exchange and issued a wipe com¬ 
mand. As it turned out, the battery 
had already died and I later retrieved 
the device from the cab driver. I 
was able to log 
on to Exchange 
and cancel the 
wipe command 
before bringing 
the phone back 
up, thus elimi¬ 
nating the need 


A: I recently had this problem with 
a Group Policy Object (GPO) that I 
couldn't delete. The object showed 
up in the ADSI Edit tool, but I 
couldn't delete it. I received the 
error message The specified directory 
service attribute or value does not 
exist. 

To resolve the problem, you need 
to take ownership of the object via 
the Microsoft Management Console 
(MMC) Active Directory Users and 
Computers snap-in. To do so, follow 
these steps: 

1. Start the MMC Active Directory 
Users and Computers snap-in 
(Start, Programs, Administrative 
Tools, Active Directory Users and 
Computers). 

2. Ensure that Advanced Features 
is selected in the View menu. 

3. Open ADSI Edit and navigate 
to the object that's giving the error 
message. Right-click the object, and 
select Properties. 

4. Select the Security tab. 

5. Click Advanced. 

6. Select the Owner tab. 

7. Under Change Owner to, select 
the Administrators group or select a 
user (the user you are logged on as), 
then click OK. 

8. In the Security dialog, assign 
Full Control to the account you're 
using. 

9. Click OK. 

You should now be able to delete the 
object in question. ^ 
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Reader to Reader 



Settings in a 
Dell Shop 

I recently needed to standardize the 
BIOS settings across my organiza¬ 
tion, and I found the perfect tool: 
the Dell Client Configuration Utility 
(DCCU). This powerful application 
lets you obtain or configure BIOS 
settings, flash the BIOS, and shut 
down or restart the system, I've used 
the DCCU to set Preboot Execution 
Environment (PXE), Wake on LAN 
(WOL), and administrator passwords, 
as well as upgrade and flash the 
BIOS. 

Dell's documentation indicates 
that the DCCU is compatible with 
GX150 and later systems. However, 
fve used the utility on models as old 
as the GX1 to perform every function 
except setting BIOS passwords. The 
DCCU doesn't require you to install 
other Dell software (e.g., OpenMan- 
age) on the client PC. 

You can search Dell's support 
Web site to find the DCCU. Make 
sure you download the latest version 
rather than an old version. The cur¬ 
rent version of DCCU is 1.2.1, which 
is available at http://support.dell. 
com/support/downloads/download 
.aspx?c=us&cs=555&l=en&s=biz& 
releaseid=rl2376lMormatcnt=2& 
libid=0&fileid=164480. 

The DCCU interlace is simple. 

The three main tabs correspond to 
the actions you can perform. You can 
collect information about current 
BIOS settings, change BIOS configu¬ 
ration settings, and upgrade or flash 
the BIOS. Select an action tab, choose 


the options you want, and click Cre¬ 
ate Package. The DCCU then creates 
a small executable package that runs 
in the Windows environment. 

The DCCU Help files suggest 
using Dell OpenManage Client 
Administrator (OMCA), Altiris Cli¬ 
ent Management Suite, or Microsoft 
Systems Management Server (SMS) 
to deploy and execute the package 
across an enterprise. My organization 
doesn't have any of these solutions, 
so I wrote a Group Policy computer 
startup script, which Listing 1 shows, 
to deploy the package. This script is a 
batch file that copies the package to 
the local machine, then executes the 
package. You might need to modify 
the script for your environment. 

Numerous options exist for stor¬ 
ing the DCCU package. I stored the 
package that I created in a subfolder 
named \DELL in the Netlogon share. 
You can store the package in Group 
Policy and eliminate the need for the 
localserver variable, or you can store 
the package in a static location on a 
file server. The %logonserver% vari¬ 


able isn't available 
to computer startup 
scripts. If you have 
multiple sites with 
domain controllers 
(DCs) at each site, 
the best option is to 
store the package in 
Group Policy (in the 
same directory as 
the script) or in the 
Netlogon share, as 
in my example. This 
method ensures that the system cop¬ 
ies the package from the local server. 

When a package runs, it uncom¬ 
presses several files, executes them, 
and creates XML log files. You can 
specify the log-file output directory 
during the package creation. The 
XML log files tell you which settings 
failed, which succeeded, and which 
weren't applicable because the set¬ 
ting doesn't exist in that BIOS. After 
a package runs, it cleans up after 
itself: The package deletes all the 
files it uncompressed and eventually 
deletes the package itself. Therefore, 
you need to use a copy of any pack¬ 
age you create when you test and 
deploy the package. 

The If exist line in the script pre¬ 
vents the package from needlessly 
copying and running at each reboot. 
One run is sufficient. During the 
package creation, I specified C:\BIOS 
as the location to store the XML log 
files. If C:\BIOS exists, the package 
has already run and the script jumps 
to the end and exits. 

Although the packages are small 
(approximately 844KB), on large net¬ 
works the copying can significantly 
increase traffic during peak boot 
times. Thus, you might want to apply 
the policy in phases to workstation 
subsets at various times. 

If you want to create an image to 
deploy to new PCs, be sure to delete 
the output log directory (i.e., C:\ 
BIOS) before running Sysprep. This 
action ensures that new PCs run the 

• • • • tit 

script in its entirety. yr 

—Todd F. Connell 

InstantDoc ID 94250 


Listing 1: BlOSset.bat 


3echo off 

REM Sets the package's source Location. I set the Location 
REM to the NetLogon share in a subfoLder named DELL. 

REM Modify the Location for your organization. 

set LocaLserver=\\yourdomain.comXSysVoLXyourdomain.com\scripts\DELL 

REM Enter Log-fiLe Location specified during package creation. 

If exist C:\BI0S\nuL goto end 

copy /y %LocaLserver%\BIOS.exe %systemroot%\system32\ 
cd %systemroot%\system32\ 

BIOS.exe 

: end 
3exi t 
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Backup and Recovery Basics 

How to implement a data protection strategy 


N o matter how large or small your business is, data 
backup and recovery needs to be a vital part of 
your IT planning. From basic tape backup to 
complex multiserver SAN environments, many technologies 
and techniques are available to meet the needs of corporate 
data-protection administrators. However, the core concepts 
and best practices of data backup and recovery apply to 
every computing environment. 

One important first principle is that a backup and 
recovery plan is not a replacement for a disaster recovery 
plan. A backup and recovery plan defines a business's data 
backup and recovery needs and specifies the workflow that 
meets those needs. A disaster recovery plan defines how 
the business will get back up and running after any kind of 
catastrophic event. Data backup and recovery is part of a 
disaster recovery plan—not a substitute for one. (To walk 
through the steps of creating a disaster recovery plan for 
your business, see Ben Smith, "Surviving the Worst," June 
2005, InstantDoc I D 46289. ) 

Let's look at the fundamentals of building a backup 
and recovery plan for your organization. Then, I'll take you 
on a quick tour of the most popular backup and recovery 
hardware. 


how complex your business is, the plans might be simple 
sets of instructions that describe howto backup and restore 
data in one location and from one or two applications, or 
they might include multiple sets of conditional instruc¬ 
tions for backing up specific data in certain locations, from 
certain applications. Both plans in your data-protection 
strategy will depend to a certain extent on the software and 
hardware you've chosen to meet your business's backup 
and recovery needs. "Designing a Backup and Recovery 
Strategy," on page 4^ outlines the steps to building a data 
protection plan for your organization. 

The backup plan . Your backup plan needs to include a 
mechanism for ensuring that each backup will be initiated 
and completed. Similarly, the plan should identify a process 
for confirming that backups are capable of being restored. 
All plans should include a process for backing up new 
systems so that they can be quickly restored to a baseline 
configuration. The entire backup plan should be available 
as a complete set of instructions that provides the hands-on 
guide to your backup process. 

The recovery plan. Recovery plans are necessarily more 
complex than backup plans. All recovery plans need to 
describe common recovery operations: for example, how 
to restore a single file, how to restore a directory, how to 
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Start with a Plan 

Typically, the first step in backup and recovery is creating a 
backup and recovery plan. However, for most businesses, 
the actual first step is determining what funding is available 
for implementing data protection. It does little good to create 
a detailed plan that you can't afford to implement. If funding 
for backup and recovery isn't a problem for your business, 
than you're already at step two—creating the plan. 

Regardless of how simple your backup and recovery 
needs are, a written plan is a necessity. In any business 
larger than a sole proprietorship, the possibility exists that 
the person who knows how to back up data or recover lost 
files won't be available when he or she is needed. (In an 
enterprise-class business, that's not a possibility—it's a 
guarantee.) A detailed written plan that describes how data 
is backed up and recovered guarantees that you'll be able to 
recover data when you need do, regardless of your IT staff¬ 
ing circumstances. 


Two Plans in One 

I've been referring to "a" plan, but in reality, your data-pro¬ 
tection strategy should comprise two separate plans—one 
for data backup and another for recovery. Depending upon 


Data backup and 
recovery is part of a disaster 
recovery plan—not a 
substitute for one. 


restore an entire computer. In more complex environments, 
recovery plans should specify system dependencies and 
the order in which systems are to be restored. Bringing up 
restored computers in the wrong order will keep applica¬ 
tions from running correctly. 

A common question about data recovery is whether 
end users should be responsible for their own backups. 
Typically, giving users backup responsibility isn't a good 
idea (beyond configuring your network backup to protect 
a user's home directories). However, many backup and 
restore applications give administrators the ability to 
configure the system to give end users limited recovery 
capabilities. Generally, user-restore capabilities are 
confined to individual files or user directories; IT still 
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maintains the responsibility for more complex 
restoration tasks (and documenting these tasks 
needs to be part of the recovery plan). Restore 
capabilities won't necessarily be provided to 
all users, so you need to document the policies 
and procedures for users to whom you don't 
give the ability to self-restore. 



Have you ever wished for DISSIMILAR 
HARDWARE restore capability? 

With UBDR Gold your wish has come true! The days of 
maintaining expensive hardware spares are over. UltraBac 
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Backup and Recovery 
Hardware 

Traditionally, the basic backup hardware is 
tape. Simple, effective, and inexpensive, tape 
is still a viable option as the primary backup 
solution for many companies. The speed at 
which data is written to tape is the limiting 
factor in tape's effectiveness; although tape 
drives continue to become faster, they remain 
the choke point for data backup. Only so much 
time is available for live data to be copied to 
tape before other demands on the data or the 
network make the backup process untenable. 
In a business operating 24 x 7, the window is 
usually exceedingly small, and that bottleneck 
can become a significant problem. But even in 
situations where tape isn't the optimal choice 
for live backup, it remains the medium of 
choice for offline backups. 


Gauging Capacity 

Keep in mind that the amount of backup stor¬ 
age you need doesn't have to equal the total 
amount of storage on your network—it needs 
only to accommodate the amount of data 
within that total that changes. For example, 
your business might have half a terabyte of 
storage in use on its network, but the majority 
of that data is likely static, with perhaps less 
than 5 percent changing on a daily basis. In 
that case, your backup solution needs to be 
able to regularly accommodate not 500GB but 
only 25GB, a capacity well within the range of 
every enterprise backup solution. 

Although backing up a 500GB data set to 
tape is inexpensive, restoring a single file or 
directory from somewhere within the twenty 
or more backup tapes containing that 500GB 
of data can be difficult. Usually, the file or 
directory to be restored will have been recently 
modified, which means it will be found in one 
of the tapes in active rotation, not in offsite 
archives. This situation reduces the time IT 
must spend to find the data to be restored, but 
it doesn't eliminate the necessity of using IT 
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Alternatives to Tape 

Current backup technologies are moving in 
the direction of disk-to-disk online backup—a 
faster, more reliable, and more secure medium 
than tape. In this environment, data is copied 
from its primary storage location to an online 
hard disk system. Data can be transferred 
across the network or over a dedicated storage 
medium such as a SAN, depending on the cor¬ 
porate need and computing environment. You 
can move the data on the secondary hard disk 
storage to offline archival storage or, if capac¬ 
ity is large enough, leave it on the secondary 
storage. Most organizations will undoubtedly 
move data to tape to allow for off-site storage 
of data as part of their disaster recovery plan. 
Disk-to-disk online backup solutions are more 
expensive than tape-only solutions, but entry- 
level prices are reasonable enough that even 
small businesses can consider these solutions 
as part of their backup strategy. 

Regardless of 
how simple your 
backup and 
recovery needs 
are, a written 
plan is a 
necessity. 

If you choose a disk-to-disk solution as 
your primary backup mechanism, you'll need 
to take into account the additional strain the 
solution will place on your network backbone. 
Although it's unlikely that you'll seriously tax a 
100Base-T or Gigabit Ethernet network while 
writing to a tape device, using disk-to-disk 
backup means that you can be writing data 
acquired from multiple sources at speeds that 
can exceed the available bandwidth on your 
network. In this case, you need to be careful in 
architecting your network. Dedicated network 
connections between servers and backup 
devices might be required to get the most from 
disk-to-disk backup tools. 

For small businesses, businesses with lots 
of mobile or remote users, or businesses with 
many distributed locations, a nontraditional 
backup methodology worth consideration is 
the Internet-based backup service. Internet- 
based backup service providers install a small 


piece of client software on the target computer 
(which is any server or client you choose). 
You then determine what level of backup you 
require (e.g., file-level backup, folder-level 
backup, machine-level backup) and configure 
the client software for the appropriate level of 
protection. Once the protection is enabled, 
you can perform a restore directly from a Web 
browser console. You can grant users whose 
machines are protected the ability to perform 
restores in the same way. 

The most significant downside associated 
with Internet-based backup technology is the 
lack of Internet bandwidth available to many 
remote or distributed sites. Many businesses 
opt for cost-effective business cable modem 
or DSL service and forget about the asym¬ 
metric aspect of the connection; they might be 
getting 6MB download speeds, but the upload 
speed is well under 1MB. Consequently, if 
users of the backup service elect to protect 
entire computers, they will be attempting to 
push a huge amount of data through a very 
small upstream pipe. To get the most out of 
Internet-based backup, initial configurations 
need to be staggered and backups scheduled 
to take place when there is no other use of the 
Internet connection for an extended period of 
time. 

Although it's less of a problem, restoring 
large amounts of data over the Internet can 
present difficulties. A definite limit exists to 
the amount of data you can pull down from 
the backup service servers. Consequently, 
many service providers offer delivery of com¬ 
plete backups on DVD or tape, which can be a 
viable option if you don't need the backed-up 
data immediately. 

Data Recovery Integration 

Backup and recovery processes need to be 
integral parts of the IT work flow. Starting with 
a basic needs analysis and delivering a backup 
solution that accommodates the amount of 
data that must be protected and provides for 
workable restoration processes, IT adminis¬ 
trators need to develop a set of practices and 
procedures that create and maintain a reliable, 
secure data protection environment. Setting 
standards for backup and recovery and abiding 
by these documented guidelines can prevent 
many of the problems with data recovery that 
administrators too often discover when there 
is no time to find solutions. ^ 

InstantDoc ID 94307 


Designing a 
Backup and 
Recovery 
Strategy 


Developing and implementing a 
backup and recovery strategy for 
your organization is a step-by- 
step process. The following outline 
describes the actions that take place 
at each step. 

■ Step I: Fund 

Determine what budgetary support 
exists for your comprehensive data 
protection plan, and actively seek 
management support for the plan. 

■ Step 2: Evaluate 

Conduct a backup needs analysis to 
help you determine which technolo¬ 
gies are most suitable for your backup 
needs. Understanding what data and 
storage you must protect will help you 
develop effective and comprehensive 
backup and recovery plans. 

■ Step 3: Plan 

Develop separate backup and recov¬ 
ery plans that address the data pro¬ 
tection requirements that your needs 
analysis identified. 

■ Step 4: Implement 

Deploy backup hardware and soft¬ 
ware and perform the initial backup of 
the entire data store. Begin schedule 
of regular full backups and incre¬ 
mental data backups. Move backup 
data off site (either via tape storage, 
network links to offsite storage, or 
Internet-based offsite storage). 

■ Step 5: Test 

Regularly test backups to confirm 
accuracy and test data recovery pro¬ 
cedures to guarantee data availability. 
Test client-side backup and recovery 
software to assure full functionality. 
Retest client-side and server-side 
backup and recovery software after 
system updates and upgrades. Regu¬ 
lar testing will help you catch prob¬ 
lems that updating OS software can 
introduce in otherwise correctly func¬ 
tioning backups and restores. 

InstantDoc ID 94306 
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et me be the first to 
declare, officially, if pre¬ 
maturely, “The file server 
is dead!” With the release of 
Windows SharePoint Services 
3.0, Microsoft delivers simple, 
secure, and effective support 
for collaboration, knowledge 
management, and business 
processes. 

To understand and imple¬ 
ment SharePoint Services 3.0 
and get a feel for some of its 
key new features, let’s create 
an intranet home page and 
a SharePoint site for the IT 
department of a fictional com¬ 
pany, _Windomain^ You’ll 
see why I believe the grim 
reaper is a-knockin’ on your 
shared folders’ doors. 

SharePoint Services 3.0 
in a Nutshell 

SharePoint Services 3.0 is 
a free add-on to Windows 
Server 2003. If you’re new 
to the SharePoint family of 
products, let me get you 
up to speed. Once upon 
a time, there was Content 
Management Server, which 
focused on large-scale con¬ 
tent management issues. 
About the same time, Bill 
Gates caught the collabora¬ 
tion bug and SharePoint Team 
Services was born. 

Microsoft’s modus ope¬ 
randi seems to be to invest 
maximum effort when a prod¬ 
uct reaches version three, 
and SharePoint technology 
is no exception. Windows 
SharePoint Services 2.0 
improved on the first ver¬ 
sion but left gaping holes in 
functionality and ease of use. 
Content Management Server 
morphed to become Microsoft 
SharePoint Portal Server 2003, 
which built a portal “umbrella” 
over SharePoint sites. Now, 
SharePoint Services and 
SharePoint Portal Server have 
made a significant leap: Both 
were completely redesigned 


and are now joined at the hip. 
SharePoint Services 3.0 is now 
a .NET application, leveraging 
all the capabilities of Microsoft 
.NET Framework 3.0, includ¬ 
ing workflow. And SharePoint 
Portal Server 2003, renamed 
Microsoft Office SharePoint 
Server 2007, has become 
an add-on extension to 
SharePoint Services 3.0, pro¬ 
viding not only extraordinary 
functionality, which I’ll examine 
in an upcoming article, but 
also demonstrating the robust 
platform for Web-application 
development delivered by 
SharePoint Services 3.0. 

Installing SharePoint 
Services 3.0 

The scenario I present here 
reflects a typical out-of-the- 
box installation of SharePoint 
Services 3.0 on a Windows 
2003 Service Pack 1 (SP1) 
domain member server. (To 
give you an effective “learn- 
by-doing” experience in these 
few short pages, I’ll leave it 
to you to read the SharePoint 
Services 3.0 readme file and 
deployment documentation, 
available from the SharePoint 
Services 3.0 Web site at 
http://www.microsoft.com/ 
technet/windowsserver/ 
sharepoint/default.mspx.) 

Although Microsoft rec¬ 
ommends you use a dual¬ 
processor server with many 
gigabytes of RAM, for a 
small rollout of SharePoint 
Services 3.0 you can get by 
with less, depending on what 
you’re doing with SharePoint, 
so don’t let the published 
hardware recommenda¬ 
tions prevent you from taking 
SharePoint Services 3.0 for 
a test drive. In fact, I used a 
1GB virtual machine (VM) to 
create the prototype used in 
this article. I wouldn’t suggest 
using such scant resources 
for a production intranet, but 
even a VM can provide a func¬ 


tional sandbox for SharePoint 
Services experiments. 

To install SharePoint 
Services 3.0, you’ll need to 
have already installed .NET 
Framework 3.0. Before 
you launch the SharePoint 
Services 3.0 setup, log on to 
the server using an account 
that has administrative privi¬ 
leges. This account will be the 
initial owner of the SharePoint 
Central Administration site 
and the default SharePoint 
Services team site. You can 
easily configure the account 
to receive alerts related to 
the health and usage of the 
SharePoint Services server 
farm and sites, so you might 
want to use a domain user 
account in the Administrators 
group on the server, rather 
than the local Administrator 
account. 

The SharePoint Services 
3.0 setup will automatically 
configure the Windows Internal 
Database, a “lite” instance 
of Microsoft SQL Server 
(which is listed as SQL Server 
2005 Embedded Edition in 
SharePoint Services), on the 
server. However, for a pro¬ 
duction rollout you’ll certainly 
benefit from the scalability and 
manageability provided by 
SQL Server, and SharePoint 
Services lets you run with a 
separate SQL Server installa¬ 
tion to host the configuration 
and content databases. 

When the installation is 
complete, run the SharePoint 
Products and Technologies 
Configuration Wizard from the 
Administrative Tools folder on 
the SharePoint server. The 
wizard initializes SharePoint 
Services 3.0 and creates the 
first two SharePoint applica¬ 
tions: the SharePoint Central 
Administration site, and the 
default content site based on 
the Team Site template. You 
can visit the default site at 
the URL, http://server/ia/77e, 
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which Figure 1 
shows. Take a 
quick look, but 
don’t change 
anything until 
you’ve con¬ 
figured your 
server. 

Configuring the 
Server 

Whether 
you install 
SharePoint 
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Services 3.0 on one server 
or on multiple servers, you 
now have a server farm. A 
SharePoint server farm hosts 
SharePoint Web applications. 
For many implementations, 
the two default applications 
(Central Administration and 
the default Web application) 
will suffice, as the default Web 
application can host an orga¬ 
nization’s hierarchy of multiple 
sites. The SharePoint Central 
Administration site, created by 
the SharePoint Products and 
Technologies Configuration 
Wizard, lets you manage the 
farm and the applications it 
hosts. You can open the site 
by using the SharePoint 3.0 
Central Administration shortcut 
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Figure 2: 

Central Administration site 


in the SharePoint 
Services 3.0 serv¬ 
er’s Administrative 
Tools folder. Make a note of 
the port on which the site is 
hosted (which you can change 
from the site’s properties by 
using Microsoft IIS administra¬ 
tive tools). You can access 
Central Administration from 
any computer via a Web 
browser. 

The Central Administration 
home page reveals a task list 
of important, post-setup con¬ 
figuration procedures, which 
Figure 2 shows. Click each 
procedure to read more about 
it, then mark the item as com¬ 
plete after you’ve performed 
the operation. I would suggest 
making it a priority 
even for this sim¬ 
ple SharePoint site 
to assign a second 
farm administrator 
and to configure 
outbound email 
settings for the 
server farm. You 
can perform these 
tasks by using 
Update Farm 
Administrator’s 
Group and 
Outbound Email 
Settings, respec¬ 
tively, at the task 
list or from the 
Operations tab. 

You can create, 
delete, and man¬ 
age Web applica¬ 
tions by using the 


Figure 1: 

Default Team Site home page 
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Central Administration site’s 
Application Management tab. 
Using the links on that tab, set 
the time zone. 

Within each application is 
one or more site collections, 
each consisting of a top-level 
site and one or more child 
sites. Each site contains lists, 
or data tables, such as task 
lists, contact lists, and docu¬ 
ment libraries. Each list con¬ 
tains items: records or docu¬ 
ments, for example. If you’re 
unfamiliar with the structure of 
a SharePoint implementation, 
visit http://www.MyOfficePro 
.com and look for the 
article “Windows SharePoint 
Services, an out-of-box learn¬ 
ing experience.” See also 
the Exchange & Outlook 
Administrator article, “Making 
Sense of SharePoint Portal 
Server Architecture,” August 
2006, InstantDoc ID 93082. 

In the example we’re creat¬ 
ing in this article, we’ll make 
our intranet home page be 
the default site collection at 
the root URL of our default 
Web application. At the top- 
level site, we’ll allow any user, 
even anonymous users, to 
have read-only access to that 
site. Beneath the top-level 
site, we’ll create departmen¬ 
tal subsites, readable by all 
authenticated users. Users in 
a department will have higher 
levels of access to create and 
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manage content based on the 
functionality and resources 
in their department’s site. 
Beneath departmental sites, 
we’ll have project or team 
sites for secure collaboration 
and document sharing. So the 
URL namespace will be http:// 
servername for the home page 
(site collection and top-level 
site), http \//servername/depart 
merit for the department, and 
http './/servername/department/ 
project-or-team for collaboration. 

Creating an Intranet Home Page 

Opening the top-level URL 
servername), we see 
the default site based on the 
Team Site template, which 
Figure 1 shows. The logon 
control in the upper right cor¬ 
ner, which reads “Welcome 
WINDOMAINXadministrator” in 
Figure 1, drops down to reveal 
a small but welcome change 
in SharePoint Services 3.0: 
the ability to quickly log on as 
another user and easily access 
your user profile information. 
Because SharePoint Services 
3.0 is a .NET application, it 
accepts any .NET member¬ 
ship provider for authentica¬ 
tion. By default, SharePoint 
Services 3.0 uses Windows 
authentication, meaning that 
all authentication is performed 
by your local server and its 
Active Directory (AD) domain. 
However, you can also use 
other membership provid¬ 
ers, including the ASP.NET 
SQL Membership Provider. 
Authentication for each 
SharePoint Services applica¬ 
tion is managed in Central 
Administration. 

Where SharePoint Services 
2.0 placed actions clumsily in 
a top-of-page bar, SharePoint 
Services 3.0 consolidates 
actions into toolbars and 
drop-down menus. Click the 
Site Actions menu box on the 
upper-right side of the window 
to expand the drop-down 
menu. Select Site Settings, 


which opens a significantly 
improved dashboard of 
site-administration options, 
as Figure 3 shows. 

In Site Settings, look for 
the options listed beneath 
Users and Permissions. 

You’ll see the Site collec¬ 
tion administrators link, 
which you’ll use to add 
an additional administra¬ 
tor for the site collection. 

Click People and groups 
to begin assigning access 
to the site. You’ll see three 
default groups displayed: 
the Owners group, which 
has full control of the 
site and its content; the 
Members group, which 
can contribute to the site; 
and the Visitors group, 
which has read access 
to the site. For each group, 
navigate to Settings, Group 
Settings to rename each group 
to make it more meaningful 
for your users, then, on the 
toolbar, click New, and choose 
Add Users to add members. 
For the intranet home page, 
the Members group might 
include your communications 
team. 

Allow Access to the Intranet 
Top-Level Site 

While you’re adding members 
to a group, note that you 
can click Add all authenti¬ 
cated users. For example, 
you’d probably want to add 
all authenticated users to 
the Visitors group so that all 
employees could read the 
intranet home page. 

Alternatively, you could 
enable anonymous access, 
at least to the intranet top- 
level site. To do this, open 
the Central Administration 
page, select the Application 
Management tab, and click 
Authentication Providers. Click 
Default and modify the authen¬ 
tication provider settings to 
enable anonymous access. 
Then, back in the Site Settings 
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Figure 3: 

Site Settings page 
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of the site itself, click Users and 
Permissions, Advanced per¬ 
missions, and select Settings, 
Anonymous Access to deter¬ 
mine what level of access non- 
authenticated users can have 
to the site. For an intranet, you 
might choose to let anonymous 
users access the entire site. If 
you choose to restrict anony¬ 
mous access to lists and librar¬ 
ies, you’ll need to continue and 
enable access for anonymous 
users to each appropriate list 
and library. Remember that 
subsites inherit permissions, so 
you’ll want to disable anony¬ 
mous access to departmental 
or team/project subsites, which 
are likely to contain more sensi¬ 
tive information than the intranet 
home page. 

In SharePoint Services 
3.0, you don’t need to use 
standard IIS tools to enable 
or disable anonymous 
access. In fact, as of press 
time, you must use Central 
Administration to fully enable 
authentication for anonymous 
access. From configuring 
service account credentials to 
backing up and restoring sites, 
you’ll find welcome new sup¬ 
port for SharePoint Services 
administrative tasks within the 
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Central Administration and Site 
Settings pages. 

A Bit of Branding 

To customize the intranet site, 
click the Team Site link in the 
upper right corner of any page 
to return to the Team Site, then 
click Shared Documents in the 
Quick Launch navigation bar 
(on the left side of Figure 1), 
click Upload, and upload two 
logos: one large (about 150 pix¬ 
els wide) and one small (about 
20 to 24 pixels high). When 
you’re done, you’ll see the two 
pictures listed in the Shared 
Documents library. Right-click 
the names of the pictures and 
choose Copy Hyperlink. Paste 
the hyperlinks into Notepad— 
we’ll need them in a moment. 

While you’re still in the 
Shared Document Library, 
click the Settings menu in the 
toolbar and choose Document 
Library Settings. You can fully 
manage and customize all 
lists (and document libraries 
are a type of list) by using this 
Settings page. Use the links in 
the General Settings section to 
change the title of the docu¬ 
ment library to something like 
“Intranet Site Elements” and 



A section of the home page showing Edit mode 
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to remove it from the Quick 
Launch view, since users won’t 
need easy access to the library. 

Return to the home page 
again by clicking Team Site 
in the upper-left corner. In 
SharePoint Services 3.0, the top 
and left panels of a SharePoint 
site help you navigate. The top 
panel’s navigation bar, which 
Figure 1 shows below the URL, 
represents the site structure 
by default. Initially, you’ll see 
only one tab for the top-level 
site, in this case, the Home 
tab. But as you add sites, each 
site becomes a tab. Additional 
navigation is enabled by the 
site’s left navigation panel, which 
contains the Quick Launch view 
by default. 

You can also navigate using 
the “breadcrumb control,” 
which shows the path to the 
current page. Figure 3 shows 
the breadcrumb to the Site 
Settings page: Windomain 
lntranet>Site Settings. 

Unlike SharePoint Services 
2.0, in version 3.0 the Quick 
Launch view appears on every 
page, and both the top navi¬ 
gation and Quick Launch bar 
can be easily edited or hidden 
entirely at the Site Settings 
page. Click Site Actions and 
select Site Settings, Look and 
Feel, Quick Launch. Click the 
Edit icon and delete the head¬ 
ings Documents, Discussions, 
and People and Groups, and 
the Tasks list. Change the head¬ 
ing “Lists” to “Company.” Check 
out the results by returning to 
the home page. Alternatively, 
return to Site Settings, Look and 
Feel, and, from the Tree View 
link, disable the Quick Launch 
altogether, since the top naviga¬ 
tion tabs will provide navigation 
to departmental sites. 

To modify the site title and 
to paste in the hyperlink to 
your small logo as the icon, 
use Site Settings, Look and 
Feel, click the Title, description, 
and icon link. Experiment with 
color schemes by using Site 


Themes to find an appropriate 
Web-site color scheme. 

Return to the home page 
and click Site Actions, Edit 
Page. The home page, a sec¬ 
tion of which Figure 4 shows 
in Edit Mode, is an example of 
a Web Part page. To modify 
a Web Part’s properties, click 
the Edit link. Here is where you 
can change the Site Image to 
link to your large logo. 

A Departmental Site with 
Version 3 Whiz-Bang 

To create the site for our IT 
department, start at the intranet 
home page and click Site 
Actions, then Create, Sites 
and Workspaces. Create a 
friendly title for this site, such 
as Information Technology, but 
give it a short URL, such as “IT.” 
Configure a Team Site template 
and use unique permissions, so 
that you can more easily give IT 
employees access to resourc¬ 
es on the IT site. You’ll be 
prompted to create the Visitors, 
Members, and Owners groups, 
which you can always do later 
from Site Settings. 

In our departmental site, 
let’s leverage three great new 
capabilities of SharePoint 
Services 3.0. Click Site 
Actions, select Create, Wiki 
Page Library and name the 
library “IT Wiki.” Wikis are a 
fantastic tool for a capturing 
knowledge. 

Link to another page by 
using the syntax page name 
can contain spaces. For 
example, you might have a 
message at your site: “Don’t 
forget to bring your family to 
the upcoming corporate base¬ 
ball games. The schedule is on 
the Baseball Schedule page.” 
Clicking the link Baseball 
Schedule brings the user to 
the existing Baseball Schedule 
page or, if that page doesn’t 
exist, will create a new page 
called Baseball Schedule. So 
it’s easy to create a new page 
from an existing page by ere- 






















ating a link to a nonexistent 
page, then clicking the link. 

Blogs are another useful 
tool for unstructured knowl¬ 
edge capture. Click Site 
Actions, select Create, Sites 
and Workspaces and create a 
blog site named IT Blogs and 
the URL blogs/, also using 
unique permissions so that you 
can control who is allowed to 
blog to the site. 

Security 

Probably one of the most 
important enhancements to 
SharePoint Services 3.0 is 
item-level security. From the IT 
site home page, click Shared 
Documents and upload a 
Word document. Hover over 
the document and, from its 
drop-down menu, choose 
Manage Permissions. By 
default, permissions are inher¬ 
ited from the parent—in this 
case, the document library. 
Choose Actions, Manage 
Permissions to configure the 
permissions on the docu¬ 
ment. After the document is 
uploaded, click the document 
link, and it will open directly in 
Microsoft Office Word 2007 
or Microsoft Word 2003. Both 
versions of Word can also 
open and save directly from 
and to a SharePoint document 
library by using the library’s 
URL (e.g., http://wss01/IT/ 
Shared%20Documents). When 
you open a document from 
a library, unlike a traditional 
file share, the document is 
“checked out” to the current 
editor, and the document 
library itself can be configured 
to maintain versions. 

Security also extends to the 
Ul, with “security trimming.” If 
a user doesn’t have permis¬ 
sion to see part of a SharePoint 
site, links to that part of the site 
won’t be displayed in the Ul. For 
example, you can configure per¬ 
missions so that an administrator 
of a team site can see the Site 
Actions option but readers can’t. 


Better Collaboration 

Add SharePoint Services 3.0’s 
support for workflow, Microsoft 
Outlook integration, offline files, 
Digital Rights Management 
(DRM), and forms—all of 
which I’ll discuss in upcoming 
articles—and your business 
processes are now supported 
more completely and more 
securely than ever before, 
with a software cost of exactly 
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zero. May the file share rest in 

/TiK 

peace. v 
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Collaborating with Business Partners is Critical. 


How will you manage it? 
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Extranet Collaboration Manager for SharePoint 2007 Is the answer, 
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of extranet SharePoint sites for sharing information with business partners, 
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Enable your business now with this cost effective and powerful 
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Getting 
to Know 
Office 2007 

by Dan Holme 

Dan Holme 
answers your 
questions about 
the new Microsoft 
Office 2007 
System 


Got questions 
about Microsoft 
Office? 


Send them to Dan Holme at 
danh@intelliem.com. And for 
more Office tips and insights, 
visit MyOfficePro.com, a new 
community for IT professionals, 
developers, and end users inter¬ 
ested in Microsoft Office topics. 


T he new Microsoft Office 
2007 System is more than 
just a makeover or a point 
upgrade of Microsoft Office 
2003; it’s a complete redesign. 
Users will notice changes to the 
interface immediately, but don’t 
worry: All the old tools and 
commands are still there—along 
with some spiffy new ones as 
well; they’re just arranged a little 
differently. The new Microsoft 
Office Open XML file format is 
also generating many questions. 
Here are some answers to 
general questions about Office 
2007 that I’ve received recently. 

Q: What are the new Office 
2007 file formats? 

A; Microsoft has switched from 
using binary file formats (.doc, 
.xls, and .ppt) to using the Open 
XML formats (.docx, .xlsx, and 
.pptx). Each Office application 
that uses the new file format— 
Microsoft Office Word 2007, 
Microsoft Office Excel 2007, 
and Microsoft Office PowerPoint 
2007—by default stores most 
of the document content in 
the Open XML formats. Other 
document components, such 
as embedded code, comments, 
macros, charts, images, tracked 
changes, and document meta¬ 
data, are stored separately 
within the file. Office 2007 zips 
each component, then zips the 
entire document (this process 
is transparent to the user). The 
resulting files (i.e., the document 
file and associated component 
files) in Open XML format are 
significantly smaller than their 
binary ancestors. For more 
information about the Open 
XML format, see the Microsoft 
article “Introducing the Office 
(2007) Open XML File Formats” 
(http://msdn2.microsoft.com/ 
en-us/library/ms406049.aspx). 

Q: What else should I know 
about the Open XML file 
formats? 


A: Microsoft Office Word 
2003 and earlier versions have 
always used two file types: 
one for documents (.doc) and 
another for templates (.dot). 
Word 2007 will use four dif¬ 
ferent file types: .docx, .dotx, 
.doom, and .dotm (thex 
stands for XML and the m for 
macro). Word documents and 
templates no longer contain 
macros or code, a safety 
mechanism that prevents an 
attacker from adding hid¬ 
den code in a document. So 
when you save a Word 2007 
document that doesn’t have 
associated components (e.g., 
macros or comments), you’ll 
see a .docx (for a document) 
and .dotx (for a template) file. 
However, if you used a macro 
(or another component), you 
must save the file as a macro- 
enabled document or template 
(i.e., .doom or .dotm), other¬ 
wise the macro won’t work. 

To do so, from the Save dialog 
box, use the Save As Type 
drop-down list to select the 
document type. 

Developers can program¬ 
matically access a document’s 
components to enable data 
mining, document creation 
from disparate sources, and 
document manipulation. For 
example, you could change a 
corporate logo in a group of 
documents by using an XML 
editor. You can also generate 
Office 2007 documents on a 
server without having to install 
the client applications—a big 
plus for custom applications 
(custom app developers will 
love being able to generate 
Office documents on-the-fly on 
servers). 

The formats for the new 
Office 2007 documents will be 
published and available under 
the same royalty-free license as 
the Microsoft Office 2003 XML 
Reference Schemas. Microsoft 
provides more information for 
developers about the tech¬ 


nologies used in Office 2007 at 

http://msdn.microsoft.com/ 

office/future/tools/default.aspx. 


Q: Can you use Office 2007 
to open files from legacy 
Office-application versions, 
and vice versa? 

A; Yes. To save files in the 
older (binary) file formats, you 
can use the Save As option in 
Word 2007, Excel 2007, and 
PowerPoint 2007. To open files 
from Office 2003 (and earlier) 
applications in Office 2007 
applications, you can use the 
Compatibility Mode option. 

If you want to open, edit, or 
save Office 2007 files in Office 

2003 (and earlier) applications, 
you can do so by using the 
Microsoft Office Compatibility 
Pack for Word 2007, Excel 
2007, and PowerPoint 

2007 File Formats, which 
you can download at http:// 
go.microsoft.com/?linkid= 
5754865. The Compatibility 

Pack won’t save pre-Office 
2007 documents, spread¬ 
sheets, and presentations 
with the features and format¬ 
ting new to Office 2007, but it 
does read, honor, and apply all 
information rights management 
(IRM) policies that were applied 
to the document. 

The converter currently 
supports Office 2003 Service 
Pack (SP1), Microsoft Office 
XP SP3, and Office 2000 run¬ 
ning on Windows Server 2003, 
Windows XP SP1, or Windows 
2000 SP4. Microsoft has 
announced that it will provide 
a converter for Microsoft Office 

2004 for Mac but hasn’t speci¬ 
fied an availability date. 

Q: Does Word 2007 provide 
a facility that lets you print 
documents to PDF format? 

A: Yes. Microsoft provides 
a free add-in for Office 2007 
that lets you print to a PDF or 
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XML Paper Specification (XPS) 
file. XPS is an open-format 
document standard intro¬ 
duced by Microsoft as a com¬ 
petitor to Adobe Systems’ 

PDF. You can learn more 
about XPS and download 
the add-in at http://www 
.microsoft.com/xps. 


Q: What’s new in the 
Ribbon Ul, other than just 
appearance? 

A: Commands are arranged 
in groups on tabs—that’s the 
Ribbon—and although the 
arrangement is intuitive, it’s 
quite different than the tradi¬ 
tional menu scheme that users 
are familiar with. There’s no 
Tools menu, for example, and 
all menu functions have been 
redistributed to various tabs on 
the Ribbon. 

Some Ribbon tabs are 
contextual, meaning that they 
appear only when needed. The 
Picture Tools tab, for example, 
appears only when you select 
a picture in the document. 
Another example is there’s no 
View, Toolbars menu because 
this functionality is integrated in 
the Ribbon, as well as the new 
view buttons and zoom slider 
that display in the lower-right 
corner of the window. 

The right-click context menu 
now contains a subset of for¬ 
matting commands from the 
Ribbon so that you can make 
common changes without hav¬ 
ing to move the mouse up to 
the Ribbon. Commands that 
relate to the document as a 
whole or to the application’s 
configuration are now found in 
the menu revealed by the Office 
button in the upper-left corner 
of the application window. Look 
there for many commands in 
the File and Tools menus in ear¬ 
lier Office versions. 

You customize the Ribbon 
differently than you custom¬ 
ized your toolbar in the past. 

To customize the Ribbon, you 
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customize the Quick Access 
Toolbar that’s located, by 
default, next to the Office but¬ 
ton and is available regardless 
of which tab or section of the 
Ribbon you’re currently view¬ 
ing. The Quick Access Toolbar 
is an ideal location to place 
commands that you use fre¬ 
quently. The drop-down arrow 
at the end of the Quick Access 
Toolbar lets you configure its 
placement above or below the 
Ribbon, customize the com¬ 
mands on the toolbar, and 
minimize or restore the Ribbon. 
Minimizing the Ribbon lets you 
free up real estate in the appli¬ 
cation window. 

One of the more eye¬ 
catching features of Office 
2007 is Live Preview, which 
dynamically applies changes 
as you hover over com¬ 
mands, previewing what the 
document, worksheet, or 
presentation will look like if you 
click the command. No more 
“experimenting” with format¬ 
ting—it happens in real time! 

Q: What are Quick Styles, 
and how do I use them? 

A: Quick Styles are collections 
of formatting that you can 
apply to a document, work¬ 
sheet, or presentation. For 
example, if you create a docu¬ 
ment by using the Modern 
Quick Style set, then change 
to the Distinctive Quick Style 
set, all the styles in the docu¬ 
ment (such as Heading 1 and 
Normal) change to conform to 
the new styles. If you’re famil¬ 
iar with Web design, changing 
a Quick Style is analogous to 
changing to a different style 
sheet when using Cascading 
Style Sheets (CSS). Quick 
Styles are available for Word 
2007, Excel 2007, and 
PowerPoint 2007, so that you 
can create a consistent look 
for documents, regardless of 
the originating application. ♦ 
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It’s Hard to Warm Up to Cold Efficiency 

Create a more enjoyable and productive workplace 


T he New Year is just an arbitrary date on the calen¬ 
dar, but it brings with it a spirit of change, renewed 
energy, and a commitment to make this year better 
than the last. Herein lies an opportunity for you as a man¬ 
ager to implement an initiative to make a more positive and 
productive workplace for your team. 

One of my favorite business-related quotes, “It is hard to 
warm up to cold efficiency," comes from A1 Golin, a noted 
expert on the role of trust in the modem corporation. Cold 
efficiency is detrimental to your organization's long-term (and 
sometimes even short-term) goals and can result in a cold and 
impersonal work environment. Here are 12 low-cost activities 
for 2007—one for each month—that you can use to build a 
more personal, enjoyable, and productive workplace. 



January—Free Food 

Most people enj oy an occasional morn¬ 
ing break with a spread of doughnuts, 
muffins, or bagels with coffee and juice. 
For less than $30, you can provide a con¬ 
tinental breakfast for a small-to-midsized 
team. Give your team members a midmorning break from 
their work and a chance to get together informally for a few 
minutes. Do this once a week, and for only $1500 a year, you'll 
see a return in goodwill and bonding. 


dehumanized and can more closely resemble Dilbert's 
pointy-haired boss or Catbert than real people. Start a 
quarterly event in which senior employees—both executive 
management and senior individual contributors—share 
stories about their careers, perspectives on the business, 
and other words of wisdom over lunch with your team. 
The best executives will welcome your initiative and jump 
at the chance to have an informal conversation with some 
of the troops. 

April—Low 
| Hanging Fruit 

Work with your team to come up with 
some simple, low- to no-cost benefits 
that would make the workplace more 
enjoyable. These benefits might be any¬ 
thing from schedule changes to basic culture adjustments. 
For example, your team might ask whether Friday could be 
reserved as a no-meeting day or request that meetings not be 
held before 9 a.m. or after 4 p.m. so that team members can be 
more flexible with respect to school schedules. Think of things 
that can be implemented easily without requiring outside 
permission or resources, and implement as many as you can. 
Small changes such as these convey to team members how 
much you value them and show the importance you place 
on their well-being and satisfaction with work. 
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(bensmi@microsoft.com) 

is a security strategist 
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improved management and 
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ing Network Security 
(Microsoft Press). 



February— 
Transparency 

Few things will destroy a team's trust 
like a lack of transparency in the work¬ 
place. Opacity in the workplace can 
also lead to unhealthy rumors and innu¬ 
endo. In February, have a talk with members 
of your team about areas of the company they believe are 
overly opaque. You might find people asking for informa¬ 
tion about compensation structures, for example, or want¬ 
ing to know exactly what they can do to earn a promotion. 
Team members might even askyou to clarify your goals as a 
manager. Together, determine how some, if not all, of these 
areas can be made more transparent. Be sure to follow up 
with your team on each idea that's suggested. 


March— 

Brown Bag Lunch 

To front-line employees, senior man¬ 
agement can all too often become 
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May—Encourage 
Positive 
Interactions 

It might sound corny—right 
out of Leave It to Beaver —but 
encouraging positive interactions 
within your team is essential when 
you're trying to create a warm work 
environment. As the manager, you need to set the tone 
and be the example. Almost all successful managers 
who are well-liked praise their employees generously 
and publicly and give criticism privately. Eliminate 
“no, but" conversations that unconstructively criticize 
ideas or respond to them negatively. In their place, create 
“yes, and" conversations in which employees build on 
one another's ideas and work. When someone on your 
team brings up an idea, thank him or her for the idea 
and open a discussion with your team about how the goal 
could be accomplished using that idea or some other 
mechanism. 
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June—Get 
Outside 

We spend an unnatural 
amount of time indoors. 
In the first month of 
summer, move your team 
outside as often as you can. 
Instead of sitting in a boring office, have walk¬ 
ing meetings with members of your team, or 
move a staff meeting outside, if you have a 
place for everyone to sit. (You might want to 
make this an October or November activity if 
you're in Phoenix or someplace similar where 
June temperatures can be 108 degrees.) 
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^ July—Create 
Opportunities 
for Long 
Weekends 

July is the heart of sum¬ 
mer: The days are long and 
warm, and most kids are out of 
school. Everyone appreciates an occasional long 
weekend, especially at this time of the year. See 
how creative you can be with your team's sched¬ 
ule to give your employees opportunities for long 
weekends. For example, your team might like to 
work an hour or two longer Monday through 
Thursday in return for leaving early on Friday or 
taking the day off, or the team might like to start 
early and leave early on certain days. If you can 
swing it, try to give an occasional complimentary 
day off; this is a great and welcome reward for 
completing a particularly difficult project. 
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AUGUST 


August— 

Don’t Take 
Yourself Too 
Seriously 

The longest stretch of the 
year without a three-day 
holiday weekend is from the 
Fourth of July to Labor Day. In August, add a 
goal to your team's mission: Challenge team 
members to not take themselves too seriously. 
Ask your team what about the company is too 
serious, such as corporate policies that impose 
arbitrary restrictions that don't affect business. 
For example, at one company that I recently 
visited, management tried to "preserve a pro¬ 
fessional-looking work environment" by pro¬ 
hibiting employees from hanging anything, 
whether work related or personal, on the walls 
of their cubicles. The message being conveyed 
was that the building was more important than 
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the people who worked in it. To loosen things 
up, you might implement, say, a contest to see 
who can create the best parody of the company 
slogan. Whatever you do, just make it fun. 



September— 
Bring Your 
Family to 
Work Day 

Many workplaces ob¬ 
serve Take Our Daugh¬ 
ters and Sons to Work Day 
on the fourth Thursday in April. Expand on 
the idea in the fall with an afternoon or eve¬ 
ning event. Have your team members invite 
their families to the office for food, drinks, 
and games. Like many of the other ideas 
here, this event not only gives team members 
an opportunity to have fun and get to know 
one other better, but extends the bonding 
and sense of community to their families. 



October— 
Harvest 
Time 

November and De¬ 
cember are big—and 
often stressful—months 
for family gatherings. 
Instead of—or in addition to—throwing a 
holiday party, which often adds to holiday- 
season pressures, host a harvest party for your 
team members and their families. Find an 
apple orchard or pumpkin farm where you 
can have a nice, low-key fall picnic or hold a 
Halloween event complete with bobbing for 
apples, pumpkin carving, and prizes for cos¬ 
tumed kids. 


November— 
Giving 
| Thanks 

Work with your team 
to find an activity in 
which every member 
can participate to give 
something back to the community. A volunteer 
project fits in with the spirit of the season, raises 
your company's profile in the community, and 
helps your team members feel better about 
the community in which they live. Challenge 
your company to match your team's efforts by 
letting other employees volunteer some time 




4 5 6 7 8 9 10 

11 12 13 14 15 16 17 

18 19 20 21 22 23 24 

^ 25 26 27 28 29 30 j 




NOVEMBE 


during a work day or making a contribution to 
the charity your team supports. For some ideas 
on what your team can do for the community, 
see “4 IT Resolutions for the New Year," January 
2006, InstantDoc I D 48398. 


December— 
Make 2008 
\ Better Than 
/ 2007 

In December, talk to 
your team about how it 
can make 2008 better than 
2007, how it can become more productive, and 
what can be done to make coming to work 
everyday more enjoyable for everyone. Find 
out what activities worked well in 2007 and 
which ones didn't. Then, taking that feedback 
into consideration, start planning your 2008 
activities. 

Almost all 
successful 
managers praise 
their employees 
generously and 
publicly and 
give criticism 
privately. 
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Work and Play 

Of course, fiscal responsibility and accom¬ 
plishing objectives are important for all com¬ 
panies, but the resulting push for efficiency can 
make a company's best assets—its employ¬ 
ees—unhappy. Building a warmer, friendlier 
work environment will pay off in employees 
who enjoy coming to work and who are more 
willing to pitch in to accomplish a goal or 
meet a deadline. As a manager, you'll find that 
recruiting high-performing employees is a lot 
easier if you've established a reputation for 
being a great person to work for. Giving your 
team a reason to look forward to coming to 
work is a worthwhile management objective, 
and who knows—you might even find yourself 
enjoying work more! ^ 
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SC’s Dependency Problems 

3 subcommands give you greater SC control 


L ast month, in "Taking 3 Swings at SC" (InstantDoc 
I D 93849) , I showed you howto use Windows Server 
2003's SC (sc.exe) command to create a new service 
based on a fictional service application (i.e., C:\wc\wcmail 
.exe) that grabs pictures from a Web cam every few minutes. 
I walked you through the process of specifying a service 
account for the service, setting it to autostart, suppressing 
error messages, and giving it a display name of "Web cam 
image mailer" As you'll recall, the command we ended up 
with was 

sc create webimagemaiLer binpath= C:\wc\wcmail.exe 
start= auto displayname= "Web cam image mailer" 
obj= .\webcamguy password= swordfish error= ignore 

This month, let's go a little deeper. Suppose Webim- 
agemailer can't run until the Windows Image Acquisition 
(WIA) service—with the key name stisvc—is running. In 
services terms, that would mean that Webimagemailer has 
stisvc as a dependency. To instruct Webimagemailer to 
wait until stisvc starts before starting itself, you would add 
the depend^ stisvc parameter. (Don't forget: SC requires a 
space between the equals sign and the parameter value.) 
To specify that a service depends on more than one ser¬ 
vice, you would list the services' key names, separated by a 
forward slash. For example, to create the Webimagemailer 
service and specify that the stisvc and webclient services 
need to be running before it can start, you'd type 

sc create webimagemailer binpath= C:\wc\wcmail.exe 
start= auto displayname= "Web cam image mailer" 
obj= .\webcamguy password= swordfish 
error= ignore depend= stisvc/webclient 

While we're on the topic of dependencies, you can use 
three SC subcommands—enumdepends, qc, and con- 
fig—to query SC about them. To determine which services 
depend on a given service, you can type 

sc enumdepend <servicekeyname> 

Thus, to see which services depend on the Server service— 
which has the key name lanmanserver, you'd type 

sc enumdepend lanmanserver 

Running that command on my test Windows 2003 server, 
for example, reveals that Netlogon, Dfs, and the computer 
browser services depend on the Server service. 

To accomplish the reverse and determine Server depen¬ 
dencies, you can use the qc subcommand, as in 

sc qc lanmanserver 


This command dumps nine lines of information about 
the service, one of which is DEPENDENCIES. (SC tends 
to shout.) If you run that command, you'll find that Server 
doesn't depend on any services. To see a service that has 
more than one dependency, try the command on the 
Netlogon service. You'll see that Netlogon requires both 
the Server and Workstation services running before it can 
start. 

Sometimes, dependencies are more complex than 
merely one service needing another. For example, some 
services will start only if one of three other services has 
started. (All three needn't be running; any one of the three 
will do.) You can instruct Windows about such a dynamic 
by informing the system that a given service depends on a 
group of services. Windows has a number of these services, 
such as the SCSI CDROM Class, SCSI miniport, Parallel 
arbitrator, NetBIOSGroup, NDIS, and Primary Disk services, 
to name a few. You can see all the services and drivers in a 
group by typing 

sc query type= service|driver|all group= <"groupname"> 

For example, to see all the services and drivers in the 
Primary Disk service group, you'd type 

sc query type= all group= "primary disk" 

Case doesn't seem to matter in group names. You can add 
a service to a given group, or create a new service group, by 
adding the groups groupname command to the SC Create 
command or by using SC Config to modify a service's group 
membership. For example, to add Webimagemailer to a 
new group named "unimportant," you'd type 

sc config webimagemailer group= unimportant 

As far as I can see, you can't put a service or driver in more 
than one service group. 

You can also tell Windows that Webimagemailer 
shouldn't load without a particular group. To specify the 
fictional Webstartup group, you'd use the depends= web- 
startup parameter. To signal to Windows that Webstartup is 
a group—not another service—you'd prefix its name with a 
plus sign. For example, to reconfigure Webimagemailer to 
depend on the Webstartup startup group, you'd type 

sc config webimagemailer depends= +webstartup 

Now you've seen how to use dependencies and groups to 
more specifically control a service's load order. You can 
understand why I was pleased to discover SC a few years 
ago. W 
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Top 10 


Longhorn Server Features 

See what’s new in Microsoft’s latest OS 


I t hardly seems possible that Windows Server 2003 
is already four years old and about to be replaced 
by Longhorn Server. Four years is a long time in the 
computer industry, and Microsoft has used that time to 
add a plethora of important features to Longhorn Server. 
Here's my list of Longhorn Server's 10 most important new 
features and enhancements. 

Hypervisor-based virtualization— Micro¬ 
soft has found a way to incorporate virtu¬ 
alization—one of the hottest technologies 
in IT—into the Windows OS. Hypervisor 
support will let Longhorn Server take advantage of the 
virtualization capabilities of the new generation of Intel 
and AMD processors. The result is improved performance 
for virtual machines and no need for additional virtualiza¬ 
tion software. 

9 New backup and recovery tools— Longhorn 
Server's backup and restore technology is a wel¬ 
come change for Windows 2003 and Windows 
2000 Server administrators struggling with the old, 
hard-to-use NTBackup. Longhorn Server uses Microsoft 
Volume Shadow Copy Service (VSS) to perform block-level 
backups and can also back up to DVD. 

8 Updated Windows Firewall —Like Windows 
Vista, Longhorn Server will include the updated 
Windows Firewall. The new version lets you filter 
both incoming and outgoing traffic and can be 
configured using Group Policy or Microsoft Management 
Console 3.0. 

7 Windows SharePoint Services 3.0 —Longhorn 
Server will include Windows SharePoint Services 
3.0, which features an updated administration 
model that lets you delegate SharePoint admin¬ 
istrative tasks. SharePoint Services 3.0 also provides a 
multistage recycle bin and support for VSS for improved 
recoverability. 

6 IIS 7.0 —Microsoft Internet Information Services 
(IIS) 7.0 has a new modular architecture that pro¬ 
vides more granular control over which features 
are installed on the Web server. IIS 7.0 also sports 
an administration UI that lets you manage both Web server 
andASP.NET properties. Editing and backing up configura¬ 
tion data is easy because IIS 7.0's configuration settings are 
stored in an XML file. 


New Server Manager —Acting like a combination 
of the Windows 2003 Manage Your Server Wizard 
and the Security Configuration Wizard, Longhorn 
Server's Server Manager provides a role-based 
management interface. Server Manager lets you add and 
change server roles and features, monitor server health, 
and manage user accounts and services. 

WDS— Longhorn Server revamps Microsoft 
Remote Installation Services and renames it Win¬ 
dows Deployment Services (WDS). WDS supports 
Microsoft's new image-based deployment using 
the Windows Imaging Format. WDS is built using Windows 
Preinstallation Environment and supports bare-metal and 
network installations for Vista and Longhorn Server. 

3 Enhanced Terminal Services —Based on the new 
RDP 6.0, Terminal Services support in Longhorn 
Server lets users share a single remote application 
rather than an entire desktop. From the remote 
system's perspective, using Terminal Services to run an 
application looks just like executing a local application. For 
example, you can start remote programs by double-clicking 
an icon, menu option, or associated file extension. 

2 NAP— The long-awaited Network Access Pro¬ 
tection (NAP) security feature lets you create a 
customized health policy that a networked client 
must comply with before being granted network 
access. For example, you might require the client to have 
antivirus software, specific firewall settings, and certain 
updates to software. Clients that don't comply will have 
restricted network access until the problems that cause 
them to be noncompliant are corrected. 

Server Core —Longhorn Server's ^ 

biggest enhancement is a new type 
of server installation called the Server 
Core. The Server Core doesn't provide 
a graphical UI, requiring system con¬ 
figuration and management to be per¬ 
formed either through the command 
line or remotely, and doesn't include 
application-oriented features such as the Microsoft .NET 
Framework or Microsoft Internet Explorer. The Server 
Core can act as a domain controller, a DNS server, a 
DHCP server, or a file server. ^ 
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Readers Review 


At a Glance 


Barracuda Networks' 

Barracuda Spam Firewall 300 ... 64 
Dominik Reichl's KeePass 

Password Safe. 66 

Gabriel Topala's System 
Information for Windows.70 




occasional false positive, "Bar¬ 
racuda has built some excellent 
search options into the product, 
which let me find a message 
that got blocked very easily and 
quickly," says Jacob. He adds that 
Barracuda lets him search by 
whitelisted, blocked, virus, quar¬ 
antined, or delivered messages. 
You can also search for messages 
by username or domain name. 
"Barracuda Spam Firewall is one 
of the best pieces of equipment 
in our entire organization," Jacob 
says. "It's such a great appliance 
that some people forget we have 
it because it does such a great 
job!" 


Protect Your Email Server 


Barracuda Networks’ Barracuda 
Spam Firewall 300 


best pieces 
of equipment 
in our entire _ 
organization.” 

—Jacob 'Rowley, systems analyst 


Reader: 

Jacob Rowley 
Systems analyst 

Product: 

Barracuda Spam 
Firewall 300 

Company: 

Barracuda 

Networks 

Contact: 


H ave you noticed a decrease 
in the amount of spam 
you've been receiving? 
Neither has Jacob Rowley. And like 
IT pros everywhere, he knows that 
some of those unwanted messages 
contain deadly viruses that could 
bring down his system. However, 
Jacob's company uses Barracuda 
Networks' Barracuda Spam Firewall 
300, an integrated hardware and 
software solution that protects email 
servers from spam, viruses, phishing 
messages, and spyware. 

Barracuda Spam Firewall has a 
detection rate of as much as 97 per¬ 
cent and registers only 0.01 percent 
of false positives. To deal with the 


www.barracuda 

networks.com 
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When it comes to disaster, it’s not IF, but WHEN. 
And too often, it’s when you least expect it. 


Get High-Availabilty and Disaster Recovery 
“in-One” With Double-Take ®. it is your job to keep 
servers up, data available and prevent downtime. Failure to 
protect mission critical data and applications can set your 
business back by weeks, months or worse. Disaster 
recovery is now one of the highest IT priorities. 

In today’s business climate, 

you have to have a tested ^Double -rake 
plan and reliable tools in 

place for the moment your 
server (or site) goes down. Double-Take js that 
tool. Sold more than all other High-Availability tools 
combined, it is even certified for W2K Datacenter. No other 
HA tool is. A whole department sitting on their hands can 
cost thousands of dollars per minute. The ROI of 
Double-Take is a no-brainer. 


Double-Take delivers real-time data replication 
combined witii fail-over so you have high- 
availability and disaster recovery for your 
(virtual) Windows Servers — safely and securely. 

This is the reason that hundreds of Fortune 500 companies 
worldwide use Double-Take to ensure their business 
continuity. Three levels of data 
compression allow more data to 
be replicated and increase 
performance and scalability. 


Double-Take gives you the peace of 
mind your data is safe and your job 
secure. Don’t wait. Download a free 
30 -day eval copy right now and start 
protecting your data and applications. 
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Download your free eval copy today! 
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What’s Hot 


Secure and Manage Your Passwords 

Dominik Reichl’s KeePass Password Safe 


pros know how hard 
it can be for users to 
remember all the pass¬ 
words they need for numerous Web 
sites, systems, and applications. 

Too often, administrators as well as 
users resort to writing passwords on 
paper or storing them in an unse¬ 
cured document. Carmen Nuland 
used to use an unprotected Micro¬ 
soft Excel spreadsheet to hold all 
her URLs, user IDs, and passwords. 

But then she discovered Dominik Reichl's KeePass Password Safe. 

Carmen says that with KeePass, she needs to remember only one 
password. The free, open-source software lets her create one database 
for personal passwords and another for work-related passwords and 
secure both databases by using a master password, key-disk, or com¬ 
bination of the two. “You can also sort passwords by creating groups to 
store Internet URLs, email, software licenses, and banking passwords," 


Reader: 

Carmen Nuland 
Senior systems analyst 

Product: 

KeePass Password Safe 

Company: 

Dominik Reichl 

Contact: 

keepass.source 

forge.net 


"KeePass will automatically 
create random passwords 
for you.” 

—Carman Nuland, senior systems analyst 

says Carmen. “Plus, KeePass will automatically create random pass¬ 
words for you, if you wish." 

KeePass uses the Advanced Encryption Standard and Twofish algo¬ 
rithms to encrypt the database. If you copy a password entry, KeePass 
secures the clipboard, then automatically clears it after you've pasted 
the contents or after a certain period of time. In addition, KeePass locks 
the database when you minimize the window. You can export your 
password list to a variety of formats, including comma-separated value 
(CSV) and XML. 
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Group Management Solutions 


Distribution Lists Help Desk 

Out of Control? Overworked? 


( 


Static & Dynamic Group Management 
WebDir&SmartDL 




Imanami's Group Management 
Solutions create accurate and timely 
security groups and distribution lists. 


Imanami develops software that delivers Point Solutions for Identity Management. 
We focus on the high value milestones that provide the quick wins, meaningful ROI 
and increased end user satisfaction that helps ensure internal company support for 
your IdM rollout. 

Trial Software - 30 Day Evaluation version at: http://www.imanami.com/download 


Contact Information - 

Phone: 1 800 684 8515 Option 1 
Email: sales@imanami.com 
Web: http://www.imanami.com 


imanami 
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Monitor the REST of 
Your Computer Room! 



Water on the Floor 

Temperature 

Power Problems 

Security 
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Humidity 

Video 

And much more 


Instant Notification by Phone or E-mail 
when events’threaten your Infrastructure. 



www.ims-4000.com 


877-373-2700 
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Hitting a wall with your current sniffer? 



Break through with Observer 11. 



Now with enterprise-strength VoIP analysis. Includes enhanced VoIP troubleshooting, integrated NetFlow 
and sFlow® support, MultiHop Analysis, and 64-bit Windows scalability. It's time to reset your analyzer. 


Wired to wireless. LAN to WAN. One network - complete control. 
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The Best Web Host Just Got 



1&1 MARKETING CENTER 

Advertise your business and acquire customers 




Microsoft' adCenter GOOQIC 

AdWcrds O 

Citysearch / 


!e 

Submission 


Simple 


Vouchers 


$100 value 
$50 value 
$50 value 


Drive traffic to your website with 1&1! 

We now offer user-friendly technology to increase traffic to your website and help you get listed on the major search engines. Improve visibility with search 
advertising offers and search engine tools, advertise locally with the leading local search service, and gain valuable knowledge from an informative online 
success manual. It's all included with the purchase of any 1&1 shared hosting package. 


Microsoft' adCenter 


Google 

ArfWords 


Citysearch 


Reach potential customers by advertising with 
Microsoft® adCenter. Your 1&1 vouchers* for 
search advertising help you target your ads to the 
times, places, and customers you want. Use built-in 
tools to get keywords ideas, audience information, 
and detailed reports. 


Promote your business and acquire customers easily 
with Google AdWords®**. Select keywords that 
relate to your business and set up your ad in 
minutes. Make it easy for prospective customers 
to find your business when they search on Google 
for the products or services that you offer. 


Advertise locally with Citysearch, the leading 
local search service, by signing up for any 
1&1 shared hosting package. You'll get 12 
months of listing free as well as a $50*** 
pay for performance voucher. 


*Offer is valid for a limited time for advertisers opening a new U.S. Microsoft® 
adCenter account. Minimum $5 sign-up fee required and other terms and 
conditions apply. See www.1and1.com. Microsoft is either a registered 
trademark or trademark of Microsoft Lorporation in the United States 
and/or other countries. 


**Offer valid for new Google AdWords customers with self-managed ***Up to $100 depending on your web-hosting plan, 

sign-up accounts. Other terms and conditions apply. See www.1and1.com. 

Google and AdWords are trademarks of Google Inc. and are registered 
in the US and other countries. 
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Save 50% 
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Blog 
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/ 
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Form Builder 

/ 

/ 

- 

Premium Software Suite 

/ 

- 

- 

90-Day Money Back Guarantee 

/ 
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- 

Support 

24/7 Toll-free Phone, E-mail 

24/7 Toll-free Phone, E-mail 

24/7 Phone, E-mail 

Price Per Month 
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SPECIAL 

OFFER 
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— 
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50% discount valid for the first 6 months of any newly ordered 1&1 Internet, Inc shared hosting plan, minimum contract 1 year. Offer ends January 31, 2007. Visit 1and1.com f or details. Prices based on a comparison of regular 
monthly Linux prices, effective 12/04/2006. Product and program specifications, availability, and pricing subject to change without notice. One marketing voucher per customer per vendor. Some limitations apply to the Money Back 
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Register your site with 
top search engines 

1&1's Simple Submission automati¬ 
cally submits 2 URLs to major 
search engines on a monthly basis. 
Try our upgraded version for a 
free 90 day trial to analyze your 
keywords, monitor your site's 
ranking, compare your site to the 
competition and so much more. 
Take your site to the next level. 


Facilitate discovery of 
your website 

Create a sitemap for free with Google 
Webmaster Tools via your 1&1 Control 
Panel. Sitemaps is a web developer 
tool that provides Google with up 
to date information to crawl your 
website faster and more efficiently. 
Enable easy discovery of information 
on your site and improve the search 
experience of your visitors. 


Gain valuable knowledge 
for online success 

Online Success for Non-Techies 
teaches you how to quickly and easily 
develop a successful website for your 
business, hobby or profession that 
ranks highly on the major search 
engines. This informative book by 
successful Internet entrepreneur 
James Martell is included with your 
1&1 shared hosting package. 


or visit us now 
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What’s Hot 


Easy Configuration Analysis and Diagnostics 

Gabriel Topala’s System Information for Windows 


Reader: 

Curtus Regnier 
Owner and president of 
In the Light Consulting 

Product: 
System Information for 
Windows 

Company: 

Gabriel Topala 

Contact: 

www.gtopala.com 


W hile working on security-related proj¬ 
ects, Curtus Regnier has to check sys¬ 
tems for vulnerabilities such as open 
shares, open ports, and improperly managed ser¬ 
vices and went looking for a tool that can quickly 
and easily give him the information he needs. He 
found Gabriel Topala s System Information for 
Windows (SIW) freeware. SIW provides Curtus all 
the data he needs, plus a lot more. 

Compatible with all versions of Windows, SIW 
performs configuration analysis and diagnostics, listing information such as specifications for the OS and 
installed software, serial numbers, and open files. The tool also provides information about hardware and 
peripherals, including the motherboard, memory, video cards, printers, disk drives, SCSI devices, network 
shares and connections, and network cards. 

"A number of tools, when used together, can perform the functions of SIW,” says Curtus. “But this tool is so 
comprehensive that you only need one tool to do your work." The software can create reports in comma-separated 
value, HTML, text, or XML format, and you can run it in batch mode. Curtus especially likes the fact that, because 
SIW doesn’t need to be installed on the computer, he can carry it with him on his USB drive wherever he goes. ^ 
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"This tool is so 
comprehensive that 
you only need one 
tool to do your worlc.” 

—Curtus 'Regnier owner and president of In the Light Consulting 
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Send your funny screen shots, juicy rumors, or industry humor to rumors@windowsitpro.com. 
If we use your submission, you’ll receive a Ctrl+Alt+Del coffee mug. 



I’m having an error trying to 
understand this error 


Error 




An error has occured while creating an error report 



User Moment of the Month 


I had just logged on to my system when my phone rang. The woman on the phone told me some¬ 
thing cryptic: “My computer won’t shut on.” I said, “Your computer won’t shut on? Does that 
mean your computer won’t turn off or turn on?” She said, “It won’t turn on.” I asked her to ensure 
that all the cables were plugged in and that the light on the power strip was on. She said, “I can’t 
see the power strip, but it must be working because my phone works.” I said, “I see. I’ll be right 
over.” I crawled under her desk, moved her purse out of the way, and turned on the power strip. 

She said, “Oh my, that was simple.” 

—Michael Tucker 


00000000, 00000000, 00000000, 00000000 

00000000, 00000000, 00000000, 00000000 


GSK Error Trapper 


Progress 


Windows is exiting. Is this OK? 

... I 

i.M..]l 


4S Taking a little break? 


I think 

you’ve zeroed 
in on the 
problem 



by Scott Adams 




THAT'S 

IMPOS¬ 

SIBLE. 


GET 

THE USER 
OATA FROM 
ED. 


I 

i 

i 


£ 

8 


I 


ED IS AN UNREACHABLE. 
HE DOESN'T ANSWER 
HIS PHONE OR RETURN 
MESSAGES. HE'S NEVER 
IN HIS CUBICLE AND 
HE DOESNT READ 
E-MAIL. 



ft 

S 

Eft 


& 


5 


I 


i 

i 


s 

« 



DOES HE 
USE THE 
REST¬ 
ROOM? 


NO, WE 
THINK HE 
MODIFIED 
HIS BRIEF- 
, CASE. 
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Defragment Every Drive On Your Enterprise 
Without Leaving Your Chair .0 

(Or even lifting a finger) ^ $ 0 ^ f 
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PerfectDisk Command Center™ 
Perfection Made Automatic 


Introducing 

Ra?(te@aiMs 





Centralized Management 
And Reporting 

Patent-pending 
Resource Saver™ Technology 

Exclusive Space 
Restoration™ Technology 

Exclusive AutoPilot 
Scheduling™ 


Recognized as the world's most powerful 
defragmenter, PerfectDisk has always been the 
secret to faster, more reliable computers. Now, 
with a powerful new suite of enterprise tools, 
PerfectDisk 8.0 takes disk defragmentation to 
the farthest reaches of the enterprise, while 
placing total control right at your fingertips. 

Are you sitting down? Good. Because 
with the PerfectDisk Command Center™ you 
can easily deploy, configure and manage the 
defragmentation of every system on the enter¬ 
prise... all from the comfort of your own desk¬ 
top. And that's just the beginning. 

Our all new enterprise reports deliver 
valuable performance statistics and at-a-glance 
graphical displays that track and identify any 
fragmentation issue on any managed computer, 
and much more. 

In addition, PerfectDisk's patent-pending 
Resource Saver™ technology finds file frag¬ 


SOFTWARE 

1 - 800 - 546-9728 

www.raxco.com 



Microsoft 

GOLD CERTIFIED 


Partner 



Designed for 


Windows®XP 

Windows®2000 




mentation without having to first open the file, 
further reducing any system impact of defrag¬ 
mentation. And new disk and CPU throttling 
provide even greater control over resources. 

What's more, Raxco's exclusive AutoPilot 
Scheduling™ provides automatic defragmenta¬ 
tion at the optimal time for each user. And 
AutoPilot Scheduling's Screen Saver Mode 
enables idle-time defragging at user-defined 
intervals. (There's really nothing to it.) 

And features like our Single File Defrag 
and Consolidate Free Space Defrag (part of 
PerfectDisk's Space Restoration Technology™) 
are particularly valuable for users working with 
supersize files. 

Give your users reason to stand up and 
cheer. And while PerfectDisk 8.0 is busy keep¬ 
ing each computer in tip top shape, you can sit 
back and simply take the credit. For the details 
and a free demo, visit 

www.pdcommandcenter. com 





Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. PerfectDisk is a registered trademark of Raxco 
Software. PC Magazine Editors’ Choice Award Logo is a registered trademark of Ziff Davis Publishing Holdings Inc. Used under license. All other product names mentioned herein are the trademarks of 
their respective owners. 












Manage your Physical and 
Virtual Desktops 



From the same Management Console. 

I 

Proactively manage, inventory, secure and support your desktops, virtual machines 
and thin clients from a central location with ScriptLogic’s Desktop Authority: 

* Migrating usens to new machines, OS's or virtual machines 
is as simple as logging on. 

■ Comprehensive inventory, reporting, remote management features 

* Secure your environment with Patch, Anti-Spyware and USB Port Security options 


* Easily manage physical desktops, virtual machines 
and thin clients from a single console. 

* Provision every aspect of the user's desktop 

* Patented Validation Logic™ allows for unparalleled control. 


Dnmlsal ■ free 30-dav trhl ndiy! WWW.SCriptlOgiC.COm/VirtUal 














































